I've written many times about how the mobile office increases security risks, particularly via the devices that enable us to work from home or coffee shops or hotel rooms.
ISACA, a leading global association for enterprise governance of IT, also sees the risks involved with mobile devices. The organization recently published a white paper, Securing Mobile Devices. I spoke with Mark Lobel, principal, PricewaterhouseCoopers, and ISACA white paper project development team member, about the top five risks for mobile devices and the best ways to secure them. He told me this to start:
The definition of mobile devices is any end point, not just smartphones or laptops or USB. Everybody tends to think of mobile devices as smartphones, but we carry data in multiple ways. And they create different challenges than traditional enterprise computing, where everything is centralized and better protected. It's very hard to drop a mainframe, but it is easy for a device sitting in your back pocket to be destroyed or lost.
Risk Number 1: Enterprises often don't know where data and other business information are.
Security Solution: Have a centralized way of managing data. Keep a data inventory and have a network access control solution so CIOs and CSOs know exactly who has the data, where it is, and where it is going. Lobel said it is easier to protect the data, too, from zero-day threats, if you know where the data is.
Risk Number 2: Mobile device security is usually neglected. As Lobel said, security is rarely the center of enterprise security and is inconsistently focused on.
Security Solution: Devices should be encrypted and authenticated. The best way to stop risk is decide what information can be on the device and if it shouldn't be there, block it.
Risk Number 3: Lack of education and whether or not employees know the risks involved with having sensitive data on the devices.
Security Solution: Provide user education for employees that explain what devices are authorized, what's not authorized, and what the risks are if an unsecure device is used. Lobel said it is important to set the standard and bring it to the business data use.
Risk Number 4: Putting intellectual property in employees' hands. It is an act of trust to give sensitive information to employees, and not all employees will honor that trust.
Security Solution: If something is truly sensitive, it should be well monitored and controlled. Access should be given to only those employees who need it, when they need it. The way the devices are tracked should be monitored, and data transfers should be restricted.
Risk Number 5: Lack of a governance framework.
Security Solution: Implement a security policy that manages all stages of risk assessment and threat, including from installation to retirement of the devices.