Mobile Device Management: The New Frontier in IT Security
Mobile devices have changed the landscape of IT asset management and data security policies. IT managers now have to develop and implement new processes to help to manage, control, and properly dispose of these devices. The biggest hurdle with this is the shifting of power from the IT department to the employees themselves, this introduces a myriad of new risks. Risks such as corporate data available outside of a physical establishment as well as developing strategies for all makes of devices and operating systems. The overall goal should be putting in place a risk management approach that appeals to the interests of the IT department and the end-users, all while reflecting and catering to the needs and interests of the organization as a whole.
Risks to consider
It can be very easy to get ahead of yourself when implementing a mobile device management plan and miss actual threats, vulnerabilities, and operating risks. It is important to remember that those who are trying to steal the data are always striving to be one step ahead of security measure. For instance, most organizations require device level passwords and the ability to wipe the device remotely if lost or stolen. While both of these are great policies, alone they are not enough. Device level passwords can easily be bypassed and remote wiping requires some type of radio or internet connection to be executed. It is even possible for hackers to access a device’s information without even having physical access to the device, often times this occurs when the device is connected to an unsecure wifi connection. All of these scenarios need to be taken into consideration before, during and after the implementation of a mobile device management plan.
Balancing IT and the end-user
The one thing you want to make certain to avoid is not favoring either side too much. If the focus is put primarily on security and management you risk losing site of the needs of the end user. Risk management is the key to finding this balance as it helps you to consider both sides of the spectrum, and weigh risk vs. reward. Every business will have different compliance standards, regulations, and requirements to follow, it is also important to take this into consideration. All of this is to be considered along with the main over all goal of security. You want to prevent data leakage, data loss, privacy loss, network exposure, network intrusions and the fines and legal ramifications that can be a result of these risks.
Mobile Risk Management Guidelines
Below are some of the basics to follow in your risk management general practices:
1. Threats- Identify, define, assess.
2. Vulnerabilities- Compare threats and vulnerabilities to critical assets.
3. Associated Risk- Determine your risk, consider factors such as their likelihood and consequences.
4. Reduce- Find ways that these risks can be reduced or eliminated.
5. Prioritize- List the risks you have ID’d from above in order of severity. Tackle the largest and most vulnerable aspects first.
Again, these are just some basics to consider. Keep an eye out for an upcoming white paper from TechR2 that will review this material and add more detail to these basic guidelines.