violetkaipa - Fotolia
The 10 questions to ask during a mobile risk assessment
To both embrace the benefits of BYOD and shore up the security gaps created by it, ask these 10 questions when conducting a mobile risk assessment.
Companies have a lot to gain by "going mobile," but the end result could be disastrous without first conducting a detailed and pervasive risk assessment. Among the very real possibilities of moving forward without doing so: loss of intellectual property to the competition, network breaches resulting in the loss of customer data and intrusion of malicious software, and viruses on internal networks.
These risks can be avoided with the implementation of new policies for device usage, device/network management technologies and enhanced skill sets for security administrators and application developers.
The first vital step is a comprehensive risk assessment that details what security measures are in place. This will illustrate the data and network risk gaps, as well as the steps needed to ensure a successful and secure mobile strategy implementation.
Determine the current corporate IT landscape
To begin your assessment, ensure your current information and network architecture is well-documented to provide a picture of what is accessible, by whom and from where. Some critical areas to consider are as follows:
- What are your current endpoints (data centers, servers, desktops and laptops)?
- How do your employees access the network internally and when remote (VPN, virtualization, etc.)?
- What network architectures are in place for wireless LAN and Wi-Fi, and who has access to what?
- What access control technologies are in place (such as LDAP and Active Directory), and how are they managed?
- What is each network segment connected to, both up and down stream (data servers, network drives, SharePoint sites, intranet/extranet sites, cloud storage, etc.)?
- How is corporate data and content classified, and how is value determined for it? Whether it's customer and employee identity information, intellectual property, trade secrets, pricing, asset data, and so on, all need to be classified with an appropriate "risk of loss" value.
A mobile strategy like bring your own device (BYOD) will significantly increase the number of devices and users accessing the corporate networks from remote points that are beyond corporate control. The first phase of the risk assessment will identify what could be vulnerable and what would be the impact of data loss through a breach.
More than likely, your IT teams and information security specialists will need to make enterprise-wide updates to network technologies, access control products, and polices that govern use and access for data stored on the corporate network. These updates are required before you can securely add personal devices through a BYOD program.
Extend to a mobile risk assessment
Now that you know the current IT landscape and the risk gaps that need to be shored up, it's time to extend the assessment to the BYOD program. When doing so, consider the following:
What types of devices will be allowed in the official BYOD program? There are many varieties of mobile devices, with more than a few mobile operating systems available. Unlike the single source-managed systems from Microsoft and Apple, there is a variant of the Android OS for each handset provider, and even every cellular carrier. As a result, you may not want to allow an off-brand, $50 Android tablet on the network.
What about the BYOD users themselves and the job functions of those employees? For example, what are the legal ramifications of granting an hourly employee access to work-related networks and content when away from the office and on their own personal time?
What data will be transferred, from where and to where, and by what means? It is critical to understand how governmental standards like PCI DSS, Sarbanes Oxley and HIPAA will affect a company's standards for encryption, data transfer and network access.
What resident applications on the BYOD will be allowed access to corporate data and servers? Internally developed, third-party-consigned and even publically available applications can all be deployed to increase productivity of the workforce. Yet with each application, there is the potential for more risk and vulnerability.
With a complete understanding of what the BYOD program will entail and allow, a company can choose and deploy new technologies to manage risks. Choosing a mobile device management (MDM) product will allow you to control the devices accessing your systems, as well as what measures will be automatically triggered when a non-compliant device appears requesting access to sensitive networks.
Furthermore, the MDM technology will ensure the levels of encryption required by regulatory standards are present and enforced. A mobile application management (MAM) product will allow you to control what applications can and cannot have access, as well as facilitate distribution of corporate-approved applications to the device. Also, a mobile content management (MCM) product -- along with MDM and MAM -- helps enforce controls set by the company to ensure only approved data and content is accessible to the mobile devices. There are several vendors in each of these categories, with some providing a robust bundled solution for all of these and more.
With any new technology, there are always easy-to-see positives and hard-to-see negatives. Therefore, conducting a thorough mobile risk assessment will help a company see the potential risks and, in turn, illustrate the changes and incremental technologies required to facilitate a productive mobile strategy. It is important to understand that mobility is a direction and not a decision. The world is moving towards increased mobility with or without us, so it is best to embrace this inevitability and take all the appropriate steps needed to mitigate risks in order to reap the returns.
About the author:
Bryan Barringer is a technology and business operations expert who specializes in mobility, user adoption, UX/UI design, customer acquisition, product design/management, strategy and business development. Starting at FedEx in 1994, Bryan was tasked with evaluating mobile solutions for operations and sales professionals and went on to become leader of FedEx Services' Office of Mobility and Collaboration before leaving the company in June 2014. He is now an independent enterprise mobility consultant and speaker.