Advanced mobile devices--iPhone, BlackBerry and other handhelds--have created a growing wireless mobility environment for business, personal communication and entertainment. However, their growing use has also led to a faster increase in the depth and breadth of mobile security threats.
Using a mobile device to access corporate information systems can potentially create a hole to corporate security if not protected and used properly. In a recent report from CSI, the theft or loss of corporate proprietary and customer information by mobile devices is nearly half of all sources. Data breaches are real to nearly every organization of virtually any size, from the big multinational corporation to the small to medium business, including device loss, theft, misuse, and unauthorized access to corporate network and data disclosure.
Enjoying many advantages in productivity, efficiency and flexibility, many current security efforts in organizations may lag behind exposures and risks. Organizations are either not fully aware of existing security issues facing the organization or simply treating these issues as a sole IT task. Very likely, such issues often remind IT managers to look into a number of technologies or software tools, such as firewall, antivirus software, file encryption, etc. Not surprisingly, this often leads to an insufficient or failed effort. Merely focusing on technologies cannot conquer the organization's weaknesses in employees' behavior, and inherent gaps in policy and management processes.
Rapid development of mobile technologies and applications has increasingly changed the way organizations do business, as well as their risk management environment. To effectively minimize an organization's security risks requires a corporate wide effort in security strategy, policy development, employee training and revised IT infrastructure. Here are five steps of how to achieve effective mobile security governance:
Knowing Your Mobile Environment Risks
Using mobile devices to get a job done anywhere as you move is a great benefit to many organizations. But the reality is that organizations at the same time also face a variety of unprecedented exposures and risks. These risks are a result of potential exploitations of weaknesses in technology, organization and its employees. Each year, millions of mobile devices are lost, stolen or discarded with personal information still in device memory. Loss of a mobile device that contains personal identity and network access credentials opens an organization for unauthorized network access and intrusion. Mobile data disclosure of business confidential information and personal records puts an organization at high risk of legal and regulatory compliance.
To develop an effective mobile security strategy, it is essential to understand an organization's mobile security risk profile. The fundamental questions include:
* What are the corporate mobile data assets that require protection?
* What, how and where the corporate data systems are accessed by mobile employees?
* How mobile devices are being used, protected and managed?
* Do employees know the procedures in responding to an incident?
To fully determine an organization's mobile security posture, a comprehensive security assessment against an organization's specific business environment is needed.