How Does Your Organization Rate on Mobile Security Policy Enforcement?
By John Jefferies, Vice President of Marketing, IronKey
Keeping Corporate Secrets
Of the hundreds of privacy breaches reported by the Privacy Rights Clearinghouse
since 2005, over 60 percent were endpoint mobility losses. Still, recent research
shows that nearly half of organizations have no security policies or solutions
in place regarding the use and protection of data outside the organization.
Mobile devices such as laptops, personal digital assistants, smart phones,
and USB flash drives are rapidly increasing in capability while also declining
in price. The proliferation of small and inexpensive mass storage devices and
their potential for data loss has been under the radar of most organizations
until now. The prevalence of these devices in the enterprise has led to significant
support issues and security risks. Additionally, the use of mobile devices can
introduce viruses or worms such as the recently discovered W32/SillyFD-AA program,
or Silly worm, which automatically spreads itself via a USB storage
device connected to an infected PC, and then passes itself along to subsequent
machines into which the USB drive is inserted.
Whether accidental or through malice, more than 100 million personal data records
have been compromised in the past two years, at an estimated cost of $16 billion
in extra paperwork, lost productivity and lost customers. The loss of sensitive
data can have a devastating impact on a companys bottom line and its reputation.
Additionally, because of the individual responsibility associated with protecting
data, IT professionals can also preserve their own careers by implementing and
enforcing sound mobile security policies.
How does your company rate when it comes to mobile security? In this article,
we will examine policies and best practices that companies are employing to
protect and control access to sensitive data found on mobile devices.
The Mobile Threat
Many organizations are realizing the need to constrain or control the use of
employee-owned mobile devices for work activity. While companies can benefit
from the increased productivity and employee satisfaction these devices provide,
they also bring with them some loss of control over corporate data flows. How
can organizations reap the business benefit of mobility without the loss of
Due to the nature of these mobile devices, they are more prone to loss and
theft and often operate outside the network perimeter, making them highly vulnerable
to attack. In the last few years USB flash drives (UFDs), have evolved from
a novelty to a key component of modern workflow. Unfortunately, they are also
the best way to steal or lose a lot of information quickly. In light of regulation
and compliance issues, organizations must actively manage the associated information
According to a recent Ponemon Institute survey, 52% of companies acknowledge
that confidential data resides on flash drives. At the same time, 53% of these
companies would have no way of knowing if they lost these drives. Laptops on
the other hand are typically tracked and managed so their loss is noticed immediately.
The following questions will help you evaluate the USB storage security currently
in place within your company:
Does your company allow workers to use mobile devices?
Does your companys security policy cover USB flash drives?
Does IT control the USB ports on your companys workstations?
Does IT control drive access outside the network or on untrusted PCs?
Does your company encrypt files on portable media such as USB flash drives?
Do your employees store confidential information on USB flash drives?
Do you have a policy for reporting lost USB drives?
Protecting Corporate Data: A Personal Responsibility
While your organization may have security policies, are they clearly communicated?
Are they posted in a public area? Does the staff know where to locate written
policies? Are the policies kept current? Do employees understand what is expected
of them and why?
Communicating the content of the information security policies, explaining
what vulnerabilities are being addressed within them and what employees can
do to prevent a security breach from happening is the role of security awareness.
An awareness program should begin with an effort that can be deployed and implemented
in various ways and is aimed at all levels of the organization including senior
and executive managers to help all employees realize their personal responsibility
to protect systems and data.
In 2005 the Federal Financial Institution Examination Council (FFIEC) issued
guidance stating that organizations must address education and awareness as
part of the overall risk management strategy particularly for multi-factor authentication
and should address topics such as phishing, account hijacking, safe Internet
use practices and spyware. People need to understand the risks and clearly realize
that as individuals they are part of the solution, not just part of the problem.
Another effective way to do this is by reinforcing security awareness by notifying
users immediately as they are violating policies.
Enforcing Mobile Security
How can companies ensure that security policies will travel with workers wherever
they go? How can they enforce privacy and security even on public PCs
where hackers wait at the ready to steal data, or log keystrokes to glean private
Centralized management of these devices further enables organizations to enforce
security policies remotely, including the ability to lock a mobile device after
a number of incorrect attempts to guess a password, or destroy data when a device
is reported lost or stolen.
According to a recent Forrester Research survey, only 9 percent of companies
have deployed mobile management tools, while another 20 percent are piloting
or plan to deploy mobile management tools within the next 12 months.
Balancing Productivity and Protection
Mobile devices provide a positive productivity enhancement, but without proper
management and security controls, they can also expose organizations to security
breaches and compliance issues. Research indicates that fewer than 10 percent
of companies have a formal mobile security policy in place.
Organizations must develop security policies appropriate for the type of device
and the information it contains (ie. public, confidential, restricted, controlled),
and provide a program that will foster policy compliance without needlessly
constraining personal productivity. Once a matrix of controls and information
types is identified, organizations must then evaluate the vulnerabilities and
the native security controls of mobile devices. It is important to establish
policies that are enforceable, concise and easy to understand, and should balance
productivity with data protection. The policy should define why the policy is
needed, its scope, contacts and responsibilities and how violations will be
At a minimum, policy should stipulate strong passwords for mobile devices.
Two-factor authentication or third-party password management tools might be
necessary as well. Regular backups, synchronization and desktop antiviruses
might also mitigate risk. Encryption should be mandatory for any device that
carries mission critical data.
The Future of Mobile Security
IDC predicts that the number of mobile workers globally will reach more than
878 million by 2009. As the need for remote access to enterprise information
grows, and the threats against these networks increase, organizations must implement
economical solutions to enforce mobile security and improve productivity from
anywhere in the world.
Mobile security programs should include defined policies for remote access,
including acceptable network connection methods and authentication policies
- who is allowed what type of access, and to what specific data. One way to
extend secure authentication beyond passwords is to implement some form of two-factor
authentication, and one-time passwords such as SecurID tokens from RSA.
How does your company rate?
Careers, corporate reputation, and your bottom line are at stake.
When implementing policies for mobile data security, it is important to evaluate
your specific situation, and put in place the correct balance of flexibility
and firmness for ongoing enforcement.
About the Author
John Jefferies currently services as vice president of marketing for IronKey and has over a decade of security marketing experience. Prior to joining IronKey he served as senior vice president of marketing at RedCannon. Previously, he was with Teros, where he drove marketing for the leader in Web application firewalls until it was acquired by Citrix. Prior to Teros he was VP of Marketing at Silicon Defense where he raised the visibility of the worm threat and defined the worm defense space. He has launched and managed major network security and Internet products for both start-up and Fortune 500 organizations, including Receipt.com (acquired by ValiCert), Pario Software (acquired by Lucent), Dascom (acquired by IBM) and Hewlett Packard. Jefferies obtained his MBA from the Ivy School of Business in London, Ontario and his BA in Business from Michigan State University.