There are many benefits to the growing use of mobile computing. It allows for information to be available whilst working on the move, in remote or home working situations. It can improve both the customer experience and the working lives of staff. The increasing trend to Bring Your Own Device (BYOD) allows staff to use their personal mobile devices to conduct business activities. This can increase productivity and reduce costs for organisations but also increase challenges for the effective management of corporate information stored on mobile devices.
What are the risks?
Information is no longer retained behind the corporate firewall. It is mobile. It is moving in terms of physical geography, type of mobile device and communications channel. Even where the data held is not as confidential as within a Government organisation, a laptop left in a taxi or a stolen smartphone can have a significant affect on the business operations and reputation of an organisation. It is essential that an organisation implements – and is seen to implement – robust information governance procedures for mobile devices.
What should an organisation do?
It is essential that the use and control of mobile devices is assessed and managed on the basis of risk. The organisation requires a clear understanding of the mobile devices that it owns or permits in use, who they are used by, for what purposes and what information is stored and processed on them. This can be achieved in three steps:
Create a mobile security policy
The mobile security policy should set out key policy and procedures covering issues such as:
- What is acceptable use?
- How are mobile devices used and secured?
- how mobile devices can connect to the internet or other networks for the transfer of information
- Which information can be used or sent? Which can’t?
- What happens the event of a loss or theft?
Minimise the risk of loss
In order to reduce the risk of loss or theft an organisation’s policy should ensure staff:
- Make sure that laptops are physically secured to desks wherever possible
- Make sure that mobile devices are secured when not in use
- Do not leave mobile devices unattended when out of the office or home
- Do not keep security and authentication items – such as tokens – with the mobile device
- Minimise the amount of data held on a device
- Back up their devices and data held on them
Prevent unauthorised disclosure
Despite all best efforts to prevent a device being lost or stolen, unforeseen incidents do happen. It is important to ensure information on the mobile device cannot be viewed or extracted. The following measures should be considered and implemented where required:
- Basic device or operating system passwords as a minimum
- The more confidential and sensitive the information, the more sophisticated the security and authentication required. Data can be encrypted. The device can be authenticated using biometrics such as figure print recognition
- Laptops, PDAs and smartphones benefit from a remote wiping facility so that the device can be cleared and rendered useless if lost or stolen
- Laptops, PDAs and smartphones benefit from a remote back-up facility so that the device only ever requires a minimum amount of information
- Establish a mobile security policy
- Make sure that your devices are physically secure when unattended
- Keep information on any device to a minimum
- Encrypt devices and removable media
- Ensure level of security reflects the confidentiality/value of the information
- Ensure the device has remote back-up and wipe facilities
- Ensure that all staff know what to do if their mobile device is lost or stolen