Business Innovation Homepage > Governance

When thieves robbed an Integris home health-care provider of a notebook computer at gunpoint in February, Integris CIO John Delano had two priorities: ensuring the employee's well-being and protecting the patient information on the notebook. Fortunately, the employee was unharmed and the patient information remained protected because it had been encrypted. The company's mobile-technology risk strategy was working—so far.

Sidebar: Policies Users Can Live With

The proliferation of mobile technologies like notebooks, smart phones, and removable media has introduced new risks to business information. According to a 2006 report by the Ponemon Institute, a security-research organization, more than 54% of all security breaches resulted from the loss of a laptop, mobile device, or electronic backup. Data breaches are now regulated by several state and federal laws—another reason CIOs should be worried about protecting customer information.

Despite the risks, mobile usage is booming because of the advantages of workforce enablement and rapid infrastructure deployment. A 2006 Forrester report on mobile organizations found that almost two-thirds of U.S. businesses are deploying wireless networks, with mobile voice and data spending representing almost a quarter of last year's telecom budget.

Ubiquitous Woes
More often than not, mobile technologies—particularly those used by CEOs, senior executives, sales professionals, and consultants—contain highly sensitive corporate data, such as sales figures and E-mail. Newer devices have increased storage capacity and Internet connectivity.

CIOs understandably worry that increased storage exposes a significant amount of data to theft, loss, or misuse. They fear that most business users won't take appropriate security measures in untrusted environments—and for good reason. In a 2003 incident, for example, a BlackBerry wireless device purchased on eBay contained a database of more than 1,000 names, E-mail addresses, and phone numbers, together with more than 200 internal E-mails. The seller of the device had simply assumed that the data would be erased by removing the battery.

And attacks on mobile environments are increasing. Last year, antivirus vendors detected more than 200 mobile-phone viruses. Attack vectors such as spyware, phishing, pharming, malware, zero-day browser attacks, and botnets are climbing rapidly. According to Trend Micro, almost 30 types of malware have been found for the Windows smart-phone device alone. Microsoft estimates that there are nearly 12 million smart-phone devices in use.

Privacy regulations such as California Senate Bill 1386 and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) specify disclosure and protection standards for safeguarding nonpublic, personally identifiable information. But businesses that capture and store personal information face further challenges from regulations that require public disclosure in the event of real or suspected mishandling of personally identifiable information.

In the health-care industry, for example, personal information about patients is stored on a variety of mobile devices used by physicians and other caregivers. Today, a remote diagnostic center can send a patient's EKG to a physician's smart phone. But just as mobile devices are becoming indispensable, protecting patient information in response to HIPAA regulations is an absolute imperative. Federal law imposes a range of criminal and civil penalties for the misuse of health information, including fines of $250,000 and 10 years in prison.

Given this background, loss of personal information in a data breach is a business issue beyond the IT department (see related articles, pp. 20 and 32). Negative publicity is expensive and embarrassing, draining the confidence of buyers and investors.

Developing A Mobile Risk Strategy
To combat this, we urge organizations to adopt a companywide mobile-technology risk strategy to guide the business in assessing the problem, developing a budget commensurate with the potential business impact, and prioritizing any technical, procedural, and organizational solution needed to mitigate the risk. In crafting such a plan, CIOs must work across business units, involving the marketing, legal, and customer-relationship departments, together with the chief information-security officer and other risk managers. To develop an MTRS, determine your security requirements as follows:

• Take stock of all mobile technology companywide. Assessing the inventory of a large organization can be daunting, so consider sampling representative employee sets and installing various tools on the mobile host computers.
  
  You'll need answers to a host of questions. For starters, who uses mobile technology, and for what purposes? What types of mobile technologies are being used? How often, and where?
  
  Next, turn to the nature of the data stored and the safeguards provided. What types of information are exchanged between a device and business systems? What authentication mechanism protects the device? What information does it store, and how much data is encrypted?
  
  Finally, take a look at present and future technology needs. What types of technologies may be adopted? What software is used to synchronize or back up mobile devices? And what process is in place to retire or dispose of the equipment?
  
  
• Assess the impact and justify budgeting. CIOs need to assess the threat of a data breach and understand its impact on the business. This analysis must be shared with the senior executives across all business units.
  
  One IT executive, the chief security officer at a Fortune 100 company, approached the problem by collecting data about the attacks that occurred within a specific 100-day time frame. After a few weeks, his IT team furnished a realistic estimate of the money spent dealing with the loss of data—a number that floored the other executives the CSO was trying to persuade. While that estimate was enough to justify the business case for a major overhaul of the company's mobile-security strategy, the analysis also quantified the costs of losing data, the increased cost of security operations, and the impact of security breaches to the brand and the business' reputation.
  
  The direct incremental cost of a data breach is $54 per lost record, according to an August 2006 Ponemon Institute report. Typically, the amounts are higher for smaller data breaches because the legal, correspondence, and personnel costs are spread across a smaller base.
  
  Senior management needs to be aware of other consequences as well. Data breaches may result in class-action lawsuits, damage to market value, loss of business relationships, and even bankruptcy. If they rise to the level of regulatory offenses, those breaches could carry fines and penalties—including prison terms for company officials found negligent in protecting customers' personal information.
  

Implementing The Plan
Once you've outlined a strategy based on your company's particular needs, you'll have to determine how to implement it. Keep the following considerations in mind as you develop your MTRS road map.

Standardization, one solution to managing mobile devices, is difficult in an environment with many different devices and OS vendors. Nevertheless, businesses can develop a standard set of procedures for procuring and distributing mobile devices, replacing old ones, updating and distributing mobile OSes and applications, managing lost and locked devices, extending IT help-desk support, and centrally administering the equipment.

Mobile platform-management solutions offer centralized consoles. These let you maintain consistent security settings across all mobile devices.

Auditing and reporting is another very important aspect of managing mobile devices. At a minimum, businesses need to know the state of compliance of a device at any given time. CIOs will also want reports on the types of business information being stored on each device.

Enforcing mobile data-security measures involves defining the policy, protecting the data on the mobile device, authenticating the device and the users, monitoring for policy compliance, and generating reports.

Enforcement solutions generally offer data encryption, which provides exemptions for compliance-related notification if the mobile device is lost or stolen. The business must be sure it can recover its data in the event that an encryption key is lost. A robust management solution allows centralized encryption-key management and escrow.

Most newer mobile devices, such as some of the secure USB drives, are now available with built-in encryption capability. Newer notebooks in particular are shipped with the trusted platform module computing chip, a feature that enables hard-disk encryption. BitLocker, a feature of the Windows Vista platform, likewise lets users encrypt their hard disks.

Standardization Is Key
• Define mobile-policy constraints. The mobile policy should align with overall corporate security policies and regulatory mandates (see related article, below). At the same time, CIOs must maintain a practical view of the problem at hand. At Integris, where the primary concern is devices that store personal information locally, the policy is simple: Any medical device containing patient data must be encrypted.

Beware of unintended consequences, however. Locking down devices after consecutive login failures could result in more calls to the help desk. A more reasonable policy may be to restrict a person's ability to install applications or use a camera on the device.

CIOs obviously have to see that corporate mobile devices are compliant with policies and regulations at all times, regardless of their location. Devices that haven't reported their compliance status must be deemed noncompliant and denied access to company resources. Reporting also addresses details of the data on the device and the legitimate use of the device. All this requires two-way communication and centralized administration between the mobile device and the connected systems.

The mobile technology risk-solution market is relatively new but growing rapidly. An August 2006 Gartner report points to some 20 vendors, making the selection process critical. The first thing to do is to reach agreement internally on the business capabilities required to support the high-level goals of the organization. For some, privacy is the primary driver. For others, it's reducing the number of help-desk calls. Regulatory compliance is a third alternative. A current assessment provides invaluable input, allowing the CIO to understand exactly what problems need solving and what gaps must be filled.

Beyond the business capabilities, CIOs should pay particular attention to the operational capabilities that vendors offer. For example, it's difficult for vendors to keep pace with every new mobile device, which can create a lag time between user adoption and security support. Should you let employees use the latest and greatest devices they demand, even if there's a window of higher risk? What assurances can a vendor provide to mitigate that exposure in the shortest possible time? Chances are, the rest of the organization won't be asking those important questions, but these operational complexities create a dilemma for CIOs, who have to choose between strict policy enforcement and some level of risk.

It's too late to put the genie back in the bottle. Many businesses have discovered that the benefits of mobile technologies are too valuable to lose. Yet the business risks are far too great to ignore. Consider a scenario in which an insurance-claims adjuster uses a mobile smart phone to photograph and instantly file evidence in an incident. In this case, a lost smart phone means lost productivity and expensive direct and indirect costs associated with lost data.

CIOs can't rely on users alone to protect the data on their mobile devices. Instead, they need to work with cross-functional business units to develop an actionable mobile-technology risk strategy. Those CIOs who succeed in managing the risks will reap business benefits and transform mobile technology into a true business enabler.

Nalneesh Gaur is a principal and Bob Kiep is a partner at Diamond Management and Technology Consultants. Do you think mobile technology is worth the risks? Tell us what you think here.

Click here for more Governance articles