Grafvision - Fotolia
- Kathleen Richards, Information Security
Mention "mobile risk" in the workplace and many CISOs squirm.
How mobile security is handled runs the gamut from the "Wild West," as one reader described it, with few limitations on devices and applications, to companywide standardization on a handful of platforms whose inherent security functions are bolstered by third-party security software. Other mobile risk management strategies are focused on "use cases," with mobile security wrapped around user profiles and corporate data access.
Yet the majority of Global 2000 companies do not have policies in place that reflect mobile data security concerns. According to a February 2016 study by the Ponemon Institute, 67% of 588 IT and security professionals surveyed in the U.S. reported that it was "certain" or "likely" that a data breach had resulted from an employee's mobile access to sensitive or confidential corporate data. But only 41% of respondents said their organizations had policies in place about corporate data access from mobile devices.
Data storage on devices is another mobile risk management paradox. While 55% of those surveyed in the Ponemon study said that employees had too much work-related data on their mobile devices, only 31% of their organizations had policies in place that restricted storage of corporate data on mobile devices.
CISOs increasingly view mobile risk management as a major part of their security programs. In his cover story, "Move Past Ad Hoc Mobile Security," Senior Reporter Michael Heller looks at mobile security maturity. While many companies are still in the early stages, a mobile risk strategy that strikes a balance between users' needs and information security may result in higher productivity and security processes that employees actually follow. Getting there is the hard part.
Many employees still fail to use device passcodes and application passwords. But it isn't only employees that are lazy about authentication. In his article, "Multifactor Authentication Goes to Work," longtime contributor Dan Sullivan outlines the strategic considerations and costs that may have caused some companies to forgo best practices or avoid strong authentication methods altogether.
Encryption is a part of that narrative. TechTarget surveyed IT and business professionals whose organizations are actively pursuing enterprise encryption projects in the next 12 months. SearchSecurity Site Editor Peter Loshin reports on the findings in "Readers' Top Picks: Enterprise Encryption Tools." Clear winners are hard to come by, according to Loshin, as encryption tools are increasingly built into broader security platforms.
Device encryption has moved out of the headlines (for now) as the FBI standoff with Apple, regarding new software to hack into an alleged terrorist's iPhone, ended. The FBI reportedly paid more than $1 million to a third party for a method to unlock the iPhone's data. As mobile devices increasingly store and access sensitive information, the privacy versus security debate will cause manufacturers, regulators and law enforcement to adjust boundaries. (And the "next big thing" may be smartphone functionality in a range of devices connected to the Internet of Things.) In the workplace, at least, CISOs need to get out in front of mobile risk management with a comprehensive security strategy that is realistic in today's mobile environments.
About the author:
Kathleen Richards is the features editor of Information Security magazine. Follow her on Twitter: @RichardsKath.
Mobile risk assessment: 10 questions to ask
Why enterprises need a policy for vetting mobile apps
Information security policies that reduce mobile risk