Mounting risks from mobile devices in the enterprise

At RSA Conference Europe 2012, RSA released a new research report from the Security for Business Innovation Council (SBIC) that addresses the continued surge of consumer mobile devices in the enterprise and shares security leaders’ insights on how to manage the fast-changing mobility risks while maximizing business opportunities.

Mobile threats are developing quickly and technologies keep shifting creating new security holes. As more and more consumer devices access corporate networks and store corporate data, potentially devastating consequences range from the loss or leakage of valuable intellectual property to brand damage if fraudulent access results in a high-profile security breach. The Council consensus is that the time is now for enterprises to integrate risk management into their mobile vision.

The potential benefits include increased agility, improved productivity, faster sales, and reduced costs. Capitalizing on the business opportunities of mobile computing is only possible if enterprises know the risks and how to manage them.

The report identifies today’s major sources of risk for the mobile enterprise and the outlook for the near future. It also answers critical questions such as:

• What are the most important mobile policy decisions and who should make them?
• How do you mitigate risks such as lost or stolen devices?
• What should be included in a “Bring Your Own Device (BYOD)” agreement?
• Why or why not use a mobile device management (MDM) solution?
• What are the requirements for designing secure mobile apps?

In the report, the Council presents five strategies for building effective, adaptable mobile programs:

Establish mobile governance – Organizations should engage cross-functional teams to set clear ground rules. Every mobile project should start by defining business goals, including expectations of cost savings or revenue generation, and by establishing the level of risk that the organization is willing to accept to achieve those goals.

Create an action plan for the near-term – Mobile security technologies are fast-moving and, in many cases, too nascent to allow organizations to make long-term mobile security investments. The Council lays out several stop gap measures and key steps to take over the next 12-18 months.

Build core competencies in mobile app security – Knowing how to design mobile apps in a way that protects corporate data is absolutely critical, yet many information security teams do not have the necessary level of expertise. The Council emphasizes it’s not just about bolting on security, but requires a careful examination of the app’s overall functionality and architecture, and they provide key design criteria.

Integrate mobility into long-term vision – Numerous trends are affecting long-term risk management planning. Organizations need to update their approach to security including risk-based, adaptive authentication; network segmentation; data-centric security controls; and cloud-based gateways.

Expand mobile situational awareness – Corporate security teams should deepen and continually refresh their understanding of the mobile ecosystem.

Art Coviello, Executive Vice President, EMC, Executive Chairman, RSA, said: “With the prevalence of mobile devices and applications, organizations have huge opportunities to create business value, but the accompanying risks are equally huge. This new report from the Security for Business Innovation Council provides strategic guidance that helps organizations not only reduce their mobile liabilities but also foster mobile programs that enable them to realize the full benefits of the mobile enterprise.”