Moving Targets: The Risk of Mobile Devices

Mobile data management: a risk vs. reward scenario for business. Mobile data management presents a classic risk vs. reward scenario for business. While mobile devices are all but essential for many aspects of business, the risk of lost or stolen data is significant. Learn how companies are controlling the risk around these proliferating devices by assessing critical areas of mobile data management.

It's what attorney Randolph Kahn calls "a perfect storm."

"[Businesses face] an increasing amount of data with greater and greater value, most of which is created electronically [and] never makes it to paper, dwells in a variety of places, and increasingly is on smaller and smaller computing devices, like laptops and PDAs, making management that much more challenging and failures that much more likely," he says.

Kahn is founder and principal of Kahn Consulting, a consulting firm specializing in legal, compliance, and policy issues of business information and IT.

All of the factors Kahn cites are combining to create a potential nightmare for any company using mobile devices without solid controls in place—and that, unfortunately, describes all but a very few companies.

According to a study last fall by the BPM Forum, almost half of companies surveyed lack formal security and compliance policies and systems around mobile devices. That's in spite of the fact that half of the companies rated themselves as significantly mobile, and a quarter said mobile devices transmitted proprietary enterprise data. Despite that, almost 40 percent said it would take an actual security breach to persuade them to install mobile device controls.

The risk of unsecured mobile devices "seems to be flying under the radar for some reason," says Adriano Gonzalez, VP of strategy and programming for the BPM Forum, which is made up of private industry membership. "Proliferation of mobile devices has happened so quickly. [Companies] are paying attention to other regulatory priorities."

Perhaps part of the problem is that compliance regulations like Sarbanes-Oxley (SOX), HIPAA, and the Gramm-Leach-Bliley (GLB) don't specifically refer to control of mobile devices; what they address is the general issue of control of personal, financial, and corporate data, wherever it resides. That means that the network perimeter and management's responsibility for corporate data has extended to include any employee with a mobile device containing regulated company information.

SOX, for example, while not specifically addressing portable devices, requires that companies have effective controls over any device in use. That includes policies around which employees can use what devices, what information those devices can contain, and enforcement rules for managing their use.

As devices have gotten smaller and more powerful, the term "mobile" now includes not only smart phones and PDAs, but also small, portable mass storage devices such as removable thumb-size memory drives or iPODs. Those devices can now hold 64G or more of information, more than enough customer, patient, or financial data to keep an executive awake nights.

Mobile devices that communicate wirelessly fall under additional regulations, especially regarding privacy. The overlap in regulations and the lack of a single agency in charge lends to the confusion. The mobile device issue "touches potentially several regulations, and the jurisdiction is unclear," according to Larry Ponemon, an attorney who is head of the Ponemon Institute, which researches privacy and data protection issues. "The wireless universe is regulated by the [Federal Communications Commission], but in terms of good privacy regulations at a general level, that would be the Federal Trade Commission. You would think the FTC and FCC would be working together to solve some of these problems, but it doesn't work like that."

Some of the issues around wireless devices are similar to those around controlling Internet content in general, Ponemon says, such as determining an acceptable method of capturing user information, and deciding when and how it can properly be shared. Those issues, he says, are generally independent of devices and even technology.

But adding the wireless element to a discussion of compliance regulations and mobile devices introduces huge complexities. It may be unclear who owns a particular piece of software that's embedded in a phone, Ponemon points out. "Or is it a phone, or has it become a full-fledged computer? What's the difference between an Excel file on your Trio, and one on your laptop or desktop computer? It starts to become very fuzzy about who's responsible for ensuring that [information] is secure and that [consumer] privacy rights are protected."

The water is further muddied when wireless devices such as cell phones are used as electronic credit cards. That use may subject them to other regulatory forces, including banking regulations from the US Office of the Comptroller of the Currency (OCC), or Payment Card Industry Data Security Standard (PCI DSS) regulations. "You'd think there would be one super-regulator, because of the potential problems with both security and privacy" with wireless devices, Ponemon says, but that simply isn't true, at least yet.

What it all points to is the need for corporate-wide policies that address not just management of mobile devices, although that must be considered, but overall information management policies across the network. There are some areas companies can address to rein in mobile device use and bring themselves within compliance of at least the most obvious elements of the law.

1. Get management's attention

Anyone working on compliance issues has heard this before, but properly assessing and managing the risk around mobile devices has to be a top-down initiative. As with many aspects of compliance, management must realize that mobile devices are a significant risk to the company that warrant time, money, and attention.

Unfortunately, that often isn't understood, even in companies significantly at risk from the high use of mobile devices. The BPM Institute study found a significant awareness gap between management and IT regarding mobile device management. IT staff are generally quicker to see mobile devices as a significant threat; management often fails to acknowledge the risk until a breach occurs.

Studies at the Ponemon Institute have similarly found "a big disconnect between the IT guy and the CEO and CIO," Ponemon says. "CEOs don't think about security until it's too late."

Educating management about risk, perhaps by including pointed references to embarrassing security breaches at competitors, is essential. Setting risk policies isn't something that can occur in isolation, Gonzales says. "It has to be enterprisewide." He suggests starting with a simple inventory of devices, a basic task that many companies haven't undertaken.

Because complex issues arise around wireless access, data encryption, backup, and archiving, the access control assigned various devices, and much more, an interdisciplinary team is a must. "Others may understand some of these issues better than IT folks," Gonzales points out. That means involving the company's compliance experts, legal team, and backup and archiving experts, along with IT staff.

2. Take a holistic view

The shear number and variety of mobile devices in use at most companies, and the range of information being stored on them, points to the need for a company-wide, network-centric solution. That solution should examine potential points of failure across the enterprise, including people, processes and technology.

Although technology can help, mobile device security isn't a technical problem alone. "You can have the greatest technology in the world," Kahn says, "but if people misuse it, improperly implement it, or fail to manage it in a way that advances its functionality, you're still going to have failure."

Kahn's firm espouses a holistic, enterprisewide compliance strategy that it calls "information management compliance," structured around seven keys that are drawn from federal sentencing guidelines—rules for judges that apply to any corporation being processed in federal court.

Kahn, who is the author of several books on information management and compliance, says the approach essentially creates a "legal best practice" that can help institutions build the right legal, security, and compliance structure for employees. In short, Kahn's approach means strategically structuring information management activities with an overriding understanding of how those activities are likely to be judged by the courts.

"After all, if a corporation fails to get it right, and they're in a federal court being prosecuted for some failure, that court is going to evaluate them based upon the federal sentencing guidelines," he points out. "We figure you may as well build it that way to begin with."

3. Educate employees

Making employees aware of mobile device policies goes hand-in-hand with proper technology solutions. As with technology, it can't stand alone. "You can have the smartest employees in the world," Kahn says, "but if there's no process in place to ensure that something is done properly, you're still going to have failure."

At the very least, employees need to be instructed to follow the same data security policies that are required elsewhere in the company. But because mobile devices have advanced into the enterprise so quickly and stealthily, that's often not the case.

"Nobody expects that in every situation on any given day, every employee will get information management right," Kahn says. But having policies in place, and educating employees about what they are, is a huge step toward that goal. Again, he looks to what the law requires: "Seeking to create an environment and process to ensure that [employees] can get it right, really is what the federal sentencing guidelines are about."

4. Use software to help manage data and devices

Different types of software for mobile device management are available, but as with any aspect of risk assessment and control, management needs to be convinced that the cost vs. benefit ratio makes sense.

Encryption may be essential if you're releasing any sort of customer or otherwise confidential data onto mobile devices, although decisions need to be made about where and when (at the device level or elsewhere). In addition, IT can install tools that restrict network access to specific employees or devices, for example. Passwords are a good step; you can install software on every approved mobile device that shuts the device down after a few minutes of inactivity. Software is also available that allows a mobile device's access to the network to be terminated remotely if a device is reported lost or stolen.

Conclusion

As tough as it is to manage mobile data in today's proliferating landscape of tiny, data-stuffed devices, it's not impossible. Management needs to recognize and appreciate the scope of risk involved, then help formulate a plan that acknowledges the importance to employees of mobile devices, but also recognizes and controls the significant legal and regulatory risks involved. With luck and persistence, that can be done before a huge data breach calls not only management's attention to the problem, but the entire outside world as well.