The security vulnerabilities introduced by untracked and unmanaged mobile computing devices are significant but certainly not insurmountable. Businesses can transform information technology to securely take advantage of mobility while minimizing risks to data, networks and business applications. Increased digital mobility in organisations demands new IT governance and support processes and new skills from the IT department.
The first step in responding to the emerging risks is to update the existing IT security framework to incorporate mobile information-sharing rules and to define the goals and objectives for managing digital mobility risks.
The development of an IT security framework is the responsibility of an organization’s top management. While the technical aspects of such a framework is delegated to the IT department, senior management participation is required in providing a concise declaration of direction and addressing the value of information assets and the need for security. Often, IT security is perceived as a technical role to be left in the hands of IT staff. Increasing incidences and severity of information security breaches is a pointer to the need for a mindset change by non-IT management on their roles and responsibilities in relation to the entity’s information assets.
The policy framework is complemented by the development of appropriate security procedures for both staff and the IT department. Mobile security policies must manage the security of the device, the data it accesses and stores, the applications it runs, and all interactions with the corporate network.
It’s also essential to include crucial intellectual property such as trade secrets and patents. As with any security initiative, security stakeholders must first consider an organization’s unique risks and build a mobile security framework on the foundation of existing security measures.
The proliferation of mobile devices will require that businesses train the IT department workforce to support secure application development and other mobile technologies. This may require new knowledge, such as an understanding of technologies like encryption, authentication and authorization controls. A renewed focus on monitoring and analysis of network traffic to and from mobile applications will enable IT to ensure security of infrastructure servers.
An entity must take stock of all mobile hardware used companywide and determine what devices are allowed to access its network. Once a standard for approved devices is in place, the IT department must implement preventive controls to ensure that unapproved units cannot access the network.
Additionally, an entity must decide what types of corporate data the approved devices can store and determine the most effective security measures, such as encryption or authentication, for protecting data on those units. In doing so, it will be necessary to distinguish enterprise data from personal information, and identify appropriate measures to be taken when data is mixed.
An effective strategy clearly specifies where corporate data is permitted to reside. This could be on the device, on the network, on a public cloud service, or some combination of the three. It is also necessary to classify the types of information that can be exchanged between the device and the corporate network.
Once a comprehensive strategy is in place, employees should be made aware of the policies and trained in the secure use of devices. This may be the organization’s toughest task. Employee awareness is often the weakest link in a security strategy, which is an unacceptable situation since employee compliance with mobile security is uniquely critical to its success.
An effective mobile security strategy can enable a business to harness the productivity and flexibility of today’s mobile devices and applications while safely dodging the risks. In a world of tremendous uncertainty, the one certain thing is that the time to start planning is now.
Samuel Kariuki is a Manager with PwC Rwanda