Things to consider in your mobile security strategy
As most IT Managers know, crafting and executing an effective Mobile Security Strategy is a difficult and thankless task. On one side, corporate management wants an effective security strategy but doesn’t the execution of the strategy to impede productivity. On the other side, the end users, the first line of defense in any security strategy, are often reluctant to adopt new procedures. The key is to adopt a Security Strategy that complies with regulatory requirements and corporate guidance, minimally impacts productivity, and features automatic adoption by the end users. Apricorn’s family of secure drives meets and exceeds these criteria.
Costs of a Data Breach
If your company has an extra $7.2 million sitting around, you can probably weather the average data breach. This figure is according to a new study conducted in 2010 from the Ponemon Institute. Even for smaller businesses, the cost still averages out to $214 per compromised customer record. Considering that many smaller businesses gross less than $250 per customer yearly, a single data breach could cripple or even bankrupt a smaller business.
Any business with an international customer base needs to be especially diligent. The American Bar Association’s Data Breach and Encryption Handbook has over 300 pages devoted to unraveling data breach laws from around the world.
The cost per compromised record includes not only direct costs such as system protection (better late than never), outside consultants, and costs to protect the identities of the affected customers but also some harder to quantify (and longer lasting) impacts such as loss of corporate reputation, business impact from lost revenue, and long-term impact from lost customers and trade secrets. To add insult to injury at the corporate level, companies may also be subject to substantial governmental fines. On a personal level for both the IT Manager and corporate officers, further impacts range from a loss of job security through potential jail time.
Is Your Security Strategy Truly Mobile?
A security report issued early in 2011 by Cisco showed that cybercriminals are increasingly turning away from PCs and concentrating their efforts on much softer targets provided by mobile devices. Mobile devices, which have become de rigueur at all levels of the corporate structure, offer easier unauthorized access for remote theft as compared to stations on the physical network. Additionally, mobile devices are often specifically targeted for physical theft. Finally, in the bane of both corporate IT departments and accountants, corporate users sometimes simply lose their devices, allowing the janitor or cab driver to have an advance view of the next year’s sales plan or the company’s next SEC filing.
To be effective, IT Managers need to break out from the current corporate thought process and extend the concept of the mobile security strategy to corporate-issued, and sometimes personal mobile devices.
A Collage of Band-Aids Does Not a Strategy Make
Data security regulation and corporate guidelines are constantly evolving in reaction to new and highly publicized data breaches. For companies with a reactionary stance, these developments can lead to an ineffective and disjointed Security Strategy. By taking a proactive stance and building and implementing a security strategy from the end user upward, IT managers are able to execute a low-cost strategy that addresses current requirements and anticipates likely future requirements.
Regulated industries, such as Health Care and Financial Services, generally have stated security policies. For example, HIPPA states that encryption must protect the contents of sensitive data until the user is authenticated. Additionally, the files must be encrypted when the storage device is at rest, as is the case with Apricorn’s family of secure drives.
Due to the impact to ongoing operations, publicly traded companies subject to Sarbanes-Oxley have found an increasing need to publish a security policy to satisfy potential liability to corporate officers. However, existence of a Security Policy is not evidence of the effectiveness of a Security Policy.
Eliminating the Option of Non-Compliance
Even the best security policy is useless if end users fail to or refuse to adhere to the policy. Corporate education can help; oftentimes users really have no clear concept of everything that is included in the data they save.
The best, and most effective Security Strategies bypass the opportunity for human error and rely extensively on security measures which eliminate the opportunity for non-compliance. Companies that only source, use, and allow secure drives with built-in hardware encryption eliminate or substantially reduce the risk of exposing sensitive data.
An effective trend that is emerging is the use of hardware encryption over software encryption. The advantages are accessibility without additional software, further eliminating the need for periodic, costly, and time-consuming software updates. Additionally, these drives are platform independent and also eliminate the issue of software administrator rights on end user equipment.
In the tactical execution of a Security Strategy, passwords must be easy to setup and change, with a separate Administrative Password giving the IT Manager an element of control in case of lost or forgotten passwords.
In case of malicious theft of secure drives, the data must be protected against brute force attacks like automated attempts to generate the correct PIN. Additionally, drives need to support corporate guidelines regarding password generation, incorporating issues such as character length and limitation of successive characters.
Use of these drives quickly becomes the corporate norm. With minimal training, accessing the data does not incur a loss in productivity and the gain in data security leads to more restful nights for corporate users, IT Managers, and corporate officers. Given the choice, it is far better to justify the replacement of a secure drive for a couple hundred dollars than to weather a $7 million hit in business revenue due to a data breach.