2010 might seem a long time ago now, especially in terms of technology, but even back then an article in Personnel Today magazine was warning, “In comparison with desktop software, mobile apps are highly insecure as a result of the speed at which they come to market, their life spans and rules surrounding publication.” Most businesses would fail without the support of mobile technology and yet the modern fetish for on-the-move IT carries a number of security threats related to hardware, software, policy and personnel. These mobile security tips will ensure your business remains safe.
The most significant risk is your team’s lack of awareness of security issues, which in turn can lead to carelessness with information that leaves the door wide open for both the opportunist and the professional data thief. A recent security survey by multinational consultancy Ernst & Young noted that security wasn’t viewed as an important mobile issue by 30% of respondents. This lack of awareness is difficult to build into systems and procedures – although the simpler procedures such as sign-on are, the better – and the best way to tackle it is through preventive training and information before it becomes an issue.
The incredible range of applications available are what make the mobile device so versatile and practically indispensable in today’s business environment. Whether it’s managing your to-do list, working collaboratively with peers in a different city (or country) or simply identifying the wine you’re sipping at today’s business lunch, your smartphone or tablet is overflowing with apps. However, apps mean a constant data stream between you and the internet/cloud and while the contents of your wine label may be fairly innocuous, the contents of your customer relationship management system might not be. The question is, just how secure is that latest app you installed yesterday? And how about the apps your team might be using to juggle your business data?
Bring your own device (BYOD).
As has been well-documented elsewhere, BYOD is the latest business trend (or if not the “latest” then at least set to be highly current for a good while longer). This throws up issues of device ownership spread versus the need for security protocols to be centrally managed. There is always a likelihood that an individual knowingly or unknowingly makes changes to their device that reduces the security of the device; thus creating a chink in your technological armor. There’s also a need for some centralized control or monitoring over what data is held on which device and by whom – for this you will need some reasonably sophisticated middleware with the capability to remotely lock or change passwords on a device should it be lost or stolen.
Threats from inside.
The loss of a smartphone containing customer data through carelessness is an example of an internal security threat (although one without bad intent) but with approximately 70% of security breaches occurring due to internal causes, at least some are carried out deliberately by employees or contractors with access to your information. While awareness briefings make the policy clear they can’t prevent a malicious act. Apart from giving employees no reason to feel aggrieved, part of your security protocols is asking the question, just what is our sensitive data, and who really needs to have access to it?
This risk is more of a consequence of a leak or theft having taken place. If you lose a customer’s information (such as the credit card details they used to purchase from you online) and they suffer a loss because of it, you may be subject to legal action for your ‘carelessness’.
Finally, there’s the broader issue of federal and state legislation that may lay down certain requirements regarding data protection and storage. It may still be untouched on your server but if it is not stored correctly you still may be liable to a penalty. One such example is employee data subject to the Health Insurance Portability and Accountability Act (HIPAA) which must be stored with native encryption.