Anti-virus, encryption and remote tracking can cut the risk of data breaches
Q: Why should CIOs take mobile security seriously?
A: Mobile security is a necessity. While increased mobility means more business benefits, such as improved productivity, there is increased risk to the organisation. The regulatory landscape is shifting as legislative bodies attempt to address the risks of mobility. For example, in January the European Union unveiled a draft European Data Protection Regulation that will supersede the current Data Protection Directive. This latest EU security directive could see companies fined up to 2 per cent of global turnover for the most serious breaches. This means outside entities are now forcing IT organisations to take mobile security seriously – or else face significant financial and reputational repercussions.
Q: Why are mobile devices so risky?
A: The increased risk is a direct result of the mobile nature of these devices and that there is reliance on the owner of the device. The risk is magnified as employees treat their company- issued mobile device as a personal device, or they use their own device to connect to the corporate network. This leads to a growing accountability divide for IT; they are accountable for the security of data on devices that they do not necessarily have direct responsibility over.
Q: What can organisations do about it?
A: First, understand different employees’ mobility needs and ensure they have the technology necessary to their role. Second, have properly documented policies on mobility so employees know what they’re allowed to do and what security they should have. And third, implement technology that reinforces the security policies, because people don’t always follow procedures and users aren’t always security-minded.
Q: What sort of technology?
A: Of course you need the basics, such as antivirus and encryption. But you also need a way to “touch” the device remotely, so that your IT professionals can track its location and ensure its security software is up to date and properly used. And if the device is lost or stolen you can retrieve any data that wasn’t backed-up, wipe confidential information, and even “kill” the device to render it inoperable.
Q: But can you do this on someone’s own personal device?
A: Wiping data from a device the company doesn’t own could be a legal minefield. But I think it’s a concept employees will have to accept if they want to use their own devices for business. It comes down to the balance between an organisation’s right to securely manage corporate data and an employee’s expectation of privacy. The best compromise is to create a “sandbox” in the mobile device where company-controlled business data sits. This leaves the user’s personal data unaffected, but ensures IT has control and visibility.
Stephen Midgley is vice president of global marketing at mobile security specialist Absolute Software