Study: Some firms balk at mobile security

By Robert Westervelt, News Editor 28 Nov 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

As chief technology officer of HealthWyse—a Wilmington, Mass.-based firm that provides software and data services to the home care, hospice, and private duty markets—Braunstein is on top of the strict laws governing patient medical records, forcing firms like HealthWyse and its clients to exceed the security standards most companies set on employee mobile devices.

The answer that commonly surfaced was that they were not allocated enough in the budget to address the issue. Adriano Gonzalez, vice president of strategy and programming, BPM Forum

But some companies are falling behind, according to a new study conducted by the Palo Alto, Calif.-based Business Performance Management Forum. In some enterprises, other compliance related priorities are overshadowing the need to regulate mobile device use in the workplace.

The BPM Forum interviewed a select group of executives and surveyed nearly 700 others finding that as many as 40% of these firms failed to regulate the use of mobile devices. While important information may exist on some mobile devices, companies are not taking this security issue seriously, said Adriano Gonzalez, vice president of strategy and programming for the BPM Forum.

"Many organizations are asleep at the wheel," Gonzalez said. "The answer that commonly surfaced was that they were not allocating enough in the budget to address the issue."

About half of those surveyed estimated that a minimum of 25% of mobile devices carry mission critical information. In addition, 27% of the respondents said that most of the mobile devices in their companies currently transmit proprietary enterprise data.

Mobile device security: Tip: Policies for reducing mobile risk Column: Data breaches may be new boon for mobile security Security School: Essential practices for securing mobile devices Webcast: Top 5 Ways to Lock Down Your Mobile Devices

Businesses must track and archive billions of messages to comply with the Sarbanes Oxley Act, a set of federal regulations that protect against accounting errors and fraudulent procedures in the workplace.

Still, companies are not fully addressing data mobile device data transmission, according to the BPM Forum. The survey found that 21% of respondents said other compliance issues are taking a higher priority; and 12% said budget constraints have prevented them from taking action.

"Management is still largely concentrating on establishing legacy compliance," Gonzalez said. "They've forgotten about the major exposure related to mobile devices."

Braunstein, whose firm specializes in software for personal digital assistants (PDAs) in the healthcare industry, said he has seen firms act passively, relying instead on employee know-how. Other companies take an aggressive approach, making mobile devices almost useless. The challenge is to find a happy medium, he said.

"Large companies with sophisticated IT departments apply policies internally, but smaller firms have people who probably don't understand what they're doing with company data on their mobile devices," Braunstein said.

With more employees introducing consumer devices, such as PDAs, BlackBerrys and even iPods in the workplace, IT managers are trying to get upper level management to set strict policies about their use, Gonzalez said.

IT managers are not agreeing with management on the amount of time and money spent to address mobile data security, according to the survey. While 50% of compliance, finance and legal executives say that mobile compliance has a strong level of influence in the overall IT and network strategy, only 35% of IT officers feel the same way, Gonzalez said.

Despite the tools and encryption software available to protect sensitive data, respondents said it would likely take a major breach for management to act. The challenge is to get firms to begin by putting guidelines in place to educate employees, Gonzalez said.

"There are a number of companies that have not addressed the issue appropriately, but as organizations adopt more appropriate governance frameworks, those companies will follow," Gonzalez said.

Tags: Handheld and Mobile Device Security Best Practices,  Information Security Policies, Procedures and Guidelines,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Handheld and Mobile Device Security Best Practices How to prevent mobile phone spying Unified communications: Securing a converged infrastructure RIM patches serious BlackBerry Attachment Service flaws How secure are iPhone App Store mobile applications? Is there a spy on my mobile device? Mobile phones win during Pwn2Own contest Latest Apple iPhone features prompt security concerns Apple iPhone app could boost two-factor What Obama's Blackberry means for mobile device security SMS mobile worm attacks Symbian smartphones Handheld and Mobile Device Security Best Practices Research Information Security Policies, Procedures and Guidelines Twitter risks, Facebook threats trouble security pros Cybersecurity czar candidate questions clout of new position Incident response planning The basics of enterprise GRC project management RSA council addresses growing security risks in the cloud How to write a risk methodology that blends business, security needs Risk management must include physical-logical security convergence DHS fills National Cybersecurity Center post New partnerships, creative thinking help security bust recession Experts optimistic of Obama cybersecurity plan

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary defense in depth  (SearchSecurity.com) non-disclosure agreement  (SearchSecurity.com) security policy  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary