Submitted by David Carlino
Mobile devices are designed to store less data than traditional laptops and desktop workstations. Cloud-based storage continues to enable a steady migration away from local device storage. Due to local storage limits, mobile users are increasingly turning to a wide array of cloud storage options to maintain and access their data. This is very helpful when a device is lost or stolen but there are unintended consequences in complexity, security, and risk…
Enabling increased “mobile”? storage generally results in a complex arrangement of backups through iCloud, Gmail storage, Dropbox accounts – an arrangement that is unique for every personal device. And each person may have multiple personal devices – a tablet for this, a smart phone for that. The burgeoning “Internet of things”? with a wide-array of Internet-connected appliances and wearables that will store and process sensitive personally identifiable information, including health data, will increase the complexity of each end-users’ cloud data map exponentially.
In most business settings, where the bits and pieces of data go – which nodes they pass through and where they end up resting – is not just a curious complication but a matter of business security, operability and compliance. Perhaps not for business that flat out ban the use of personally-owned devices (BYOD) for work purposes. This group however is very small and includes heavily regulated industries such as defense and aerospace. Even here we would caution that personal mobile device use for work purposes, whether allowed or not, is likely occurring in some of these organizations.
Most other industries including banking, healthcare and energy, in that order, for while regulated, face a tougher dilemma in regard to personally-owned devices. On one hand, they need to harden the security of their information systems as they face severe consequences for data breach or system compromise. With their personnel increasingly using their devices in secure settings and access sensitive data, the risk increases enormously. Yet, the cost savings of allowing personally-owned devices is compelling. And employees far prefer that flexibility.
In no place is this becoming more challenging than in the healthcare environment, where an explosion in connected medical device technology is rapidly improving outcomes and the very the concept of medicine and care. From a technical perspective, new medical devices are enabled themselves by healthcare industry shift to electronic health records, a huge transition from which, for most covered entities and business associates, the dust is still settling and risks have yet to be defined. From a regulatory compliance perspective, the devices are entering an industry that is poised to face even further scrutiny over data flows, as the strict Accounting of Disclosures rule looms on the horizon.
Regardless of industry however, the fact remains: Saying nothing to mobile device security is the equivalent of saying yes.
The risks of data sprawl due to mobile devices use is unique from organization to organization. The only realistic path forward is to commit to a mobile device risk management program; to evaluate the organizations current use of mobile devices against business needs and capabilities for mobile device security. With relevant information in hand risk managers need then to act -?to do the hard work of developing and implementing policies and procedures. They should then follow that with mobile device security training to ensure their workforce is aware of the requirements and that they buy into the culture of security.