Mobile devices transform the way your organization serves customers and generates business, as well as communicates with your employees and stakeholders. These same devices bring new and increased risks to your organization’s data, competitive advantage/intellectual property, and reputation. Managing these risks requires a holistic approach, which goes beyond just securing the software on a device.
Just how large is the use of mobile devices?
According to a Cisco study, in 2014 the average number of connected devices per worker will reach 3.3 devices, up from 2.8 in 20121. Gartner predicts by 2017, half of employers will require employees to supply their own device for work purposes (including a primary workstation laptop/desktop computer)2. Startup and tech companies already have their employees purchase and supply their own devices, many times receiving a small stipend to offset the upfront costs.
Mobile device defined
Generally, a mobile device can be defined as any easily portable technology that allows for the storage and transmittal of your organization’s data, whether supplied/procured by your organization or by your employees. The obvious examples are laptops, phones, and tablets. Yet many organizations use other technologies to conduct business that may also qualify, such as digital cameras, external hard drives, logistics devices (e.g., GPS tracking devices, inventory/barcode scanners), and emerging technologies such as “smart wearables” (e.g., watches, glasses, fitness trackers).
All of these devices bring new risks and increase the impact of existing risks to your organization. Mobile devices, especially tablets and phones, introduce more ways for employees to use untrusted networks, applications, and content. These uses increase the risks that your organization’s data will be breached (e.g., lost, stolen), potentially resulting in compliance, reputational, and financial damages.
Holistic risk management
To manage these risks, you need a holistic approach that does not simply rely on limited technical controls implemented on the devices (e.g., passwords, encryption). This allows your organization to manage risks using the following four areas as a framework:
- Data (i.e., data generated, accessed, modified, transmitted, stored or used electronically by the organization) is essential to the organization's objectives and requires protection for a variety of reasons, including legal and regulatory requirements.
- Websites and apps (i.e., tools used to process electronic data) require security controls, regardless of the device used for access, to protect the confidentiality, integrity, and availability of data.
- Devices (i.e., hardware used to access websites and applications for data processing) require an increasing variety of security controls due to the increased mobility, choice, functionality, and replacement of these products.
- People (i.e., employees that process data via websites and applications through a variety of devices) require frequent communications and trainings on the risks, policies, practices, and tools for protecting the confidentiality, integrity, and availability of data.
For each of the four areas, organizations should implement system and manual control practices to manage your risks in the appropriate context for your culture and risk appetite. Below are select practices, by area, that provide insight into methods for managing risks.
Organizations should concentrate protections and monitoring on regulated data, such as financial (e.g., credit cards), health (e.g., HIPAA), and student (e.g., FERPA) data, as well as competitive data, such as intellectual property. To do this, your organization’s data must be inventoried and classified so you can spend your resources more effectively and efficiently on these high risk data types, instead of attempting to protect all data. For example, high risk data should require explicit consent from the data owner before it is available for certain users or certain uses.
Websites and apps
Since most data is accessed and stored via various websites and applications, whether custom built or commercially developed, the security over these websites and applications should be commensurate with the classification of the data. Additionally, the growth and volume of free and low-cost “apps” and web services (e.g., Dropbox, iCloud, Google) available for phones and tablets bring challenges. Employees can easily procure these apps and services and start to use them to store or process your organization’s data. For example, all websites and applications that handle high data should require two-factor authentication for users logging into the system or be available only when the device is connected to your organizations network. Alternatively, your organization may decide that certain websites and applications should not be available via mobile device due to the sensitive nature of the data.
After defining the types of devices that will be allowed to access your organization’s data and systems, device specific security settings should be enabled to protect the device from unauthorized access or disreputable uses (e.g., passwords, encryption, restrictions on app usage, disable camera functions). For many organizations, the sheer number of devices means manually implementing these settings is not practical. To address that challenge, Mobile Device Management (MDM) tools can allow centralized management of security settings on devices. These tools are usually priced one license per device for approximately $15 to $50 per license. MDM tools can provide varying levels of controls and restrictions on devices owned by the organization, as well as devices personally owned by employees, but used for organizational business. As with website and applications, the risk management focus should be on those devices that access or store high risk data to make effective and efficient use of your resources.
Finally, risk management is heavily reliant on people to act intelligently and ethically when using mobile devices. Organizations should provide employees with proper training and guidance based on the data classifications, website/application uses, and specific device nuances. Additionally, other human resource issues are introduced by mobile devices that may not be immediately apparent. These factors include potential union contracts related to working hours, taxable benefits for device and service plan reimbursements/stipends, and privacy concerns with organization oversight over personally owned devices. Many organizations outline the applicable policies, procedures, and usage guidelines in employee agreements that individuals read and sign to show acceptance, similar to other employee usage agreements for information technology or company equipment (e.g., cars, machinery).
The four areas contain numerous additional best practices and risk management methods that should be implemented to address your organizations unique risks. However, organizations must use a holistic approach covering data, website and applications, devices, and people to properly manage these risks and reduce the potential for compliance, reputational, and financial damages.
For more information on this topic, or to learn how Baker Tilly specialists can help, contact our team.
1 Cisco IBSG Horizons Study, 2012
2 Gartner Bring Your Own Device: The Facts and the Future, 2013