Talk about mobile security around CIOs and IT managers, and three issues will consistently raise heads: network
compromise, data loss and regulatory noncompliance. Mention mobile hardware and software's ability to exacerbate these risks, and watch the powder keg light.
According to the 2006 CSI/FBI Computer Crime and Security Survey conducted by the Computer Security Institute and the San Francisco FBI Computer Intrusion Squad, financial losses related to laptops and mobile hardware ranked third among the costliest security snafus.
Losses from laptop or mobile hardware theft alone increased from $19,562 per respondent in 2005 to $30,057 per respondent in 2006, according to the CSI/FBI Survey.
Money lost to mobile threats
So why are mobile security threats so costly? Consider:
- A lost or stolen portable device can provide hackers with multiple means to compromise internal networks and can lead to loss of market share and identity theft.
- Unsecured yet popular wireless hot spots, like those in coffee shops and airports, are some of the weakest links in the security chain connecting mobile devices to corporate networks.
- Data lost via a stolen mobile device can lead to noncompliance with Health Insurance Portability and Accountability Act (HIPAA) privacy laws and other federal regulations.
- Finally, the same data that could violate the Sarbanes-Oxley Act or HIPAA if lost -- company emails and clinical patient documentation, for example -- could also aid attackers in compromising corporate networks, leaving businesses open to multiple threats.
These worries can paralyze an organization.
Unfortunately, incidents of mobile malware attacks and device theft are making headlines in growing numbers and show no signs of slowing down, said Rob Israel, CIO of Phoenix-based John C. Lincoln Health Network in Phoenix.
"The number of ways users can access sensitive corporate data is continuously increasing -- especially with the proliferation of handheld devices," Israel added.
There's even the issue of securing mobile devices' own mobile devices, including removable storage devices such as USB Flash drives, which now house loads of data, or even the old floppy disks. In one instance at JCL Health Network, an employee exposed the company to the Slammer virus through a floppy disk, Israel said.
In addition to exposing companies to potential federal sanctions for compliance failure, the loss of medical and other personal data gives hackers the ability to gain further access to corporate networks, putting even more sensitive clinical information at risk, noted Kendall White, executive director of technology services at Carilion Clinic, a leading private, regional health system based in Roanoke, Va.
Passwords and other security policies are critical. "Depending on how these [mobile devices] are set up, lost devices can lead to instant access to the organization," said Natalie Lambert, senior analyst at Forrester Research Inc. in Cambridge, Mass.
Virus attacks, the No. 1 source of financial loss according to the CSI Survey, spread most easily where there is the least resistance; without mobile policies, protections and enforcement, where do you suppose that could be? You guessed it: Mobile devices.
Take action against mobile threats
Here are some key defenses against data loss, network compromise and compliance threats, as suggested by Israel, White, Lambert and others:
- Develop a comprehensive, strategic plan for mobile devices that incorporates security policies and procedures with strict accountability.
- When it comes to security, treat smartphones, laptops, personal digital assistants and other mobile devices no different than desktop computers. Apply the same security software to them, including antispyware software.
- IT, not employees, should select which mobile devices to use in the enterprise, and the company should own them and maintain central control. This way, IT can easily apply software patches and end-to-end encryption.
- Install acceptable software applications on mobile devices and warn users against adding unauthorized applications on their own.
- Create acceptable usage policies for mobile device and proactively educate users about them.
- IT should put in place an enforcement technology behind written usage and security policies for mobile devices. In other words, apply technologies that make it impossible (or near impossible) for users or devices to break company policy.
- Audit and monitor mobile device activity among employees to prove security policy compliance. Audits can reveal how effective a written policy is and how soundly employees are adhering to it. Regular audits can also help amass proof of compliance to HIPAA and other regulations.
David Geer is a freelance writer with specialties across the technology space.