How Does Your Organization Rate on Mobile Security Policy Enforcement?

Untitled Document

Keeping Corporate Secrets

Of the hundreds of privacy breaches reported by the Privacy Rights Clearinghouse since 2005, over 60 percent were endpoint mobility losses. Still, recent research shows that nearly half of organizations have no security policies or solutions in place regarding the use and protection of data outside the organization.

Mobile devices such as laptops, personal digital assistants, smart phones, and USB flash drives are rapidly increasing in capability while also declining in price. The proliferation of small and inexpensive mass storage devices and their potential for data loss has been under the radar of most organizations until now. The prevalence of these devices in the enterprise has led to significant support issues and security risks. Additionally, the use of mobile devices can introduce viruses or worms such as the recently discovered W32/SillyFD-AA program, or “Silly worm”, which automatically spreads itself via a USB storage device connected to an infected PC, and then passes itself along to subsequent machines into which the USB drive is inserted.

Whether accidental or through malice, more than 100 million personal data records have been compromised in the past two years, at an estimated cost of $16 billion in extra paperwork, lost productivity and lost customers. The loss of sensitive data can have a devastating impact on a company’s bottom line and its reputation. Additionally, because of the individual responsibility associated with protecting data, IT professionals can also preserve their own careers by implementing and enforcing sound mobile security policies.

How does your company rate when it comes to mobile security? In this article, we will examine policies and best practices that companies are employing to protect and control access to sensitive data found on mobile devices.

The Mobile Threat

Many organizations are realizing the need to constrain or control the use of employee-owned mobile devices for work activity. While companies can benefit from the increased productivity and employee satisfaction these devices provide, they also bring with them some loss of control over corporate data flows. How can organizations reap the business benefit of mobility without the loss of control?

Due to the nature of these mobile devices, they are more prone to loss and theft and often operate outside the network perimeter, making them highly vulnerable to attack. In the last few years USB flash drives (UFDs), have evolved from a novelty to a key component of modern workflow. Unfortunately, they are also the best way to steal or lose a lot of information quickly. In light of regulation and compliance issues, organizations must actively manage the associated information risk.

According to a recent Ponemon Institute survey, 52% of companies acknowledge that confidential data resides on flash drives. At the same time, 53% of these companies would have no way of knowing if they lost these drives. Laptops on the other hand are typically tracked and managed so their loss is noticed immediately.

The following questions will help you evaluate the USB storage security currently in place within your company:

  • Does your company allow workers to use mobile devices?
  • Does your company’s security policy cover USB flash drives?
  • Does IT control the USB ports on your company’s workstations?
  • Does IT control drive access outside the network or on untrusted PCs?
  • Does your company encrypt files on portable media such as USB flash drives?
  • Do your employees store confidential information on USB flash drives?
  • Do you have a policy for reporting lost USB drives?

Protecting Corporate Data: A Personal Responsibility

While your organization may have security policies, are they clearly communicated? Are they posted in a public area? Does the staff know where to locate written policies? Are the policies kept current? Do employees understand what is expected of them and why?

Communicating the content of the information security policies, explaining what vulnerabilities are being addressed within them and what employees can do to prevent a security breach from happening is the role of security awareness. An awareness program should begin with an effort that can be deployed and implemented in various ways and is aimed at all levels of the organization including senior and executive managers to help all employees realize their personal responsibility to protect systems and data.

In 2005 the Federal Financial Institution Examination Council (FFIEC) issued guidance stating that organizations must address education and awareness as part of the overall risk management strategy particularly for multi-factor authentication and should address topics such as phishing, account hijacking, safe Internet use practices and spyware. People need to understand the risks and clearly realize that as individuals they are part of the solution, not just part of the problem. Another effective way to do this is by reinforcing security awareness by notifying users immediately as they are violating policies.

Enforcing Mobile Security

How can companies ensure that security policies will travel with workers wherever they go? How can they enforce privacy and security even on public PC’s where hackers wait at the ready to steal data, or log keystrokes to glean private information?

Centralized management of these devices further enables organizations to enforce security policies remotely, including the ability to lock a mobile device after a number of incorrect attempts to guess a password, or destroy data when a device is reported lost or stolen.

According to a recent Forrester Research survey, only 9 percent of companies have deployed mobile management tools, while another 20 percent are piloting or plan to deploy mobile management tools within the next 12 months.

Balancing Productivity and Protection

Mobile devices provide a positive productivity enhancement, but without proper management and security controls, they can also expose organizations to security breaches and compliance issues. Research indicates that fewer than 10 percent of companies have a formal mobile security policy in place.

Organizations must develop security policies appropriate for the type of device and the information it contains (ie. public, confidential, restricted, controlled), and provide a program that will foster policy compliance without needlessly constraining personal productivity. Once a matrix of controls and information types is identified, organizations must then evaluate the vulnerabilities and the native security controls of mobile devices. It is important to establish policies that are enforceable, concise and easy to understand, and should balance productivity with data protection. The policy should define why the policy is needed, its scope, contacts and responsibilities and how violations will be handled.

At a minimum, policy should stipulate strong passwords for mobile devices. Two-factor authentication or third-party password management tools might be necessary as well. Regular backups, synchronization and desktop antiviruses might also mitigate risk. Encryption should be mandatory for any device that carries mission critical data.

The Future of Mobile Security

IDC predicts that the number of mobile workers globally will reach more than 878 million by 2009. As the need for remote access to enterprise information grows, and the threats against these networks increase, organizations must implement economical solutions to enforce mobile security and improve productivity from anywhere in the world.

Mobile security programs should include defined policies for remote access, including acceptable network connection methods and authentication policies - who is allowed what type of access, and to what specific data. One way to extend secure authentication beyond passwords is to implement some form of two-factor authentication, and one-time passwords such as SecurID tokens from RSA.

How does your company rate?

Careers, corporate reputation, and your bottom line are at stake.

When implementing policies for mobile data security, it is important to evaluate your specific situation, and put in place the correct balance of flexibility and firmness for ongoing enforcement.

About the Author

John Jefferies currently services as vice president of marketing for IronKey and has over a decade of security marketing experience. Prior to joining IronKey he served as senior vice president of marketing at RedCannon. Previously, he was with Teros, where he drove marketing for the leader in Web application firewalls until it was acquired by Citrix. Prior to Teros he was VP of Marketing at Silicon Defense where he raised the visibility of the worm threat and defined the worm defense space. He has launched and managed major network security and Internet products for both start-up and Fortune 500 organizations, including (acquired by ValiCert), Pario Software (acquired by Lucent), Dascom (acquired by IBM) and Hewlett Packard. Jefferies obtained his MBA from the Ivy School of Business in London, Ontario and his BA in Business from Michigan State University.

More by John Jefferies