Thwarting the Mobile Data Security Threat

Mobile usage is up in the work force – and it is not about to go down. Check out these statistics:

• Mobile broadband subscribers are forecasted to grow dramatically from 1 billion in 2011 to over 5 billion globally in 2016.
• By 2015, more Americans will have mobile access to the internet than desktop PCs.
• As of March 2012, 46% of adult Americans owned a smartphone.  That’s an increase from 35% in May 2011.
• Gartner reported PC sales in general are down five quarters in a row. 

It’s no wonder mobile devices are so popular.  As mobile devices have gotten more powerful, the available functions have increased and the ability to handle more work-related tasks has increased as well. With greater processing power, more and more data can be accessed through mobile devices.

There is value to both employers and their employees to having mobile access to data.  Improved efficiencies range from tracking employee time cards, sharing documents with staff, tracking inventory, and more. A Mobile Work Exchange report showed that 48% of federal agencies surveyed have improved communication with colleagues in different locations due to mobile devices. Further, 47% agree that it increased employee productivity with 33% stating it also improved customer service.

While increases in communication, productivity, and customer service sounds great to any organization, there are dangers associated with mobile access to sensitive data.  Having mobile access to data means there is another access point available for possible attack.  Whether the mobile device is owned by the employee, contractor, or employer, the data it accesses is at risk of falling into the wrong hands.  There are plenty of news stories each week of an employee losing a device that contains health, social security, credit card, or other sensitive information.

Mobile security (and data security in general) is a barrier

Mobile device roll-out and data access needs to have a security policy with procedures and oversight in place to keep the data safe.  The Mobile Work Exchange survey showed that 20% of U.S. federal agencies deployed mobile security management, 34% deployed mobile device management, and 65% have employee training programs in place. However, 73% said that security is the biggest barrier to implementing mobile access.

Why aren’t organizations rolling out mobile access?  As we see with the federal government, security and budget are major factors.  While costs may be reducible, the security threat isn’t getting any smaller.  In fact, it is growing.

Yet, mobile security is fundamental.

Businesses and government entities cannot allow their sensitive data to be accessed by hackers, competitors, or anyone else.  In the case of the U.S. government, they sought to tackle the problem with a strategy for agencies.  On May 23, 2013, the U.S. government implemented the Digital Government Strategy which was put in place to get federal agencies more mobile, with the goal of better serving the American people.

The feds aren’t alone in going mobile with a strategy, policy, and procedure to keep data safe.  The healthcare industry has HIPAA compliance; banking has PCI compliance. The Inspector General’s Office (IG) for the Department of Defense found that the US Army was unaware of 14,000 devices in active use across its structure.  Of course, large organizations face the security challenge on a large scale. Nonetheless, a proper monitoring and tracking tool could have been used to prevent that debacle.

With regard to requirements and execution of data security, the government, health, and banking industries have a few things in common.  First, training and education is provided to all users and administrators so they know how to properly access and protect the data.  Second, they develop security procedures, applications, management and monitoring. In case of a breach, data owners need to know how to handle it.  Federal government agencies responding to the Mobile Work Exchange stated that they use the following security tools:

• 58% Encryption
• 35% Multi-factor authentication
• 34% Secure remote connection
• 32% Remote lock and wipe 

Encryption is obviously the most important tool and is therefore used by a wide margin.  However, encryption is only as good as the secrecy of the encryption key.  If the key can be easily discovered, or the data is decrypted but not secured again, then it is still vulnerable.  You should deploy an approach that allows you to manage and control the encryption keys for the sensitive data on your employee’s devices.

Conclusion: control your data security, not your devices

Mobile devices aren’t going away and employers big and small need to have policies in place to control and secure sensitive mobile data.  There are many benefits to going mobile, but also risks to carefully weigh and plan for.  In the end, proper security procedures and solid encryption technology can allow employers to enjoy the benefits of a more mobile workforce, increasing employee satisfaction and productivity along the way.
(Gilad Parann-Nissany is the founder and CEO of Porticor Cloud Security. He can be found on his blog, Twitter, LinkedIn, and Google+ discussing cloud security.)