Home » Data Protection » Wireless/Mobile

Industry View

5 Steps for Achieving Effective Mobile Security Governance

How do you keep mobile security intact as devices proliferate? Consultant Robert Zhang breaks down the keys to success.

By Robert Zhang, GlassHouse Technologies

Page 2

What are the corporate mobile data assets that require protection?
What, how and where the corporate data systems are accessed by mobile employees?
How mobile devices are being used, protected and managed?
Do employees know the procedures in responding to an incident?

To fully determine an organization's mobile security posture, a comprehensive security assessment against an organization's specific business environment is needed.

Developing an Effective Mobile Security Policy
Lack of an effective mobile security policy is a fundamental root cause for many failed security efforts. The policy must be risk-based, covering all identified risks on mobile devices, both organization-issued and individually owned, and all user groups, including regular employees and temporary contractors.

The policy development process should determine which applications are to be made available to which mobile user group and on what types of devices. Typical mobile applications may include email, sales force automation, field service applications, dispatching, extended CRM, etc. These applications can drive productivity and revenue growth if deployed and managed securely.

An effective security policy needs to clearly translate regulatory compliance requirements into organization's risk management processes and procedures to protect data from loss or compromise. It also needs to speak clearly on user's responsibility for device configuration, its usage, data backup and protection. The information stored on a mobile device should be limited to what is required while on the move.

In addition, the policies must be enforceable via active IT monitoring and software tools. Organizations should regularly review the policies to take into account of any new security threats associated with business environment changes.

Ensuring Employees' Responsibility and Awareness
The employee is a great factor for both good and bad in mobile security. In a recent CSO survey, 28% of all mobile users use their mobile devices to access the Internet, and 86% of them admitted to having no mobile security. A careless or security-unconscious user can easily put an organization's confidential information at risk.

Lack of mobile user training and awareness is a major factor that contributes to many user errors and incidents. A less-trained user may not even know a procedure to handle security. In some cases, a mobile user may simply bypass any required configuration procedures in order to get a job done.

Employee education and awareness should become a valuable corporate culture. A well trained employee can help an organization to greatly minimize mobile security risks. [See also Security Awareness Programs: Now Hear This!] It is critical that all security policies should get buy-in from lines of business leadership, end users and support team across the organization.