I first started working on truly easily mobile computing device (not counting the first programmable pocket calculator, or the luggable computers that could not be hidden in your pocket) security in the workplace when the IT folks in my company at the time started bringing Psion devices to meetings somewhere around 1992 – 1993. They presented some serious information security risks to the company. If the information security risks were considered to be significant 20 years ago, now the new additional information security and privacy risks are comparatively staggering.
Where is it?
Probably the number one risk back then was the tendency to lose or misplace the device. It seemed like these little gadgets would be forgotten the moment they were laid down, despite how highly prized they were by their owners. Mobile computing devices today are still prone to being forgotten and lost. And, because they are used by the majority of the population now, they are also common targets of thieves. And think about all the new types of mobile computing devices emerging and entering the consumer market: wearables such as Google Glass and iWatch.
Any type of mobile device used for any type of business purposes today, even those owned by employees (such as in the bring-your-own-device, or BYOD, business environments) must be appropriately secured and meet the associated compliance requirements. Every organization needs to have a plan to ensure such security is appropriately implemented, and also to address data protection and privacy compliance requirements.
Make your plan and educate your organization
IBM Midmarket recently published a nice overview with six tips and recommendations for securing mobile devices.
- Apply mobile device management software. Make sure a mobile device policy exists, all your personnel know and understand it, and implement appropriate technologies to support the policy.
- Rethink your perimeter strategy. Implement controls and solutions to address remote workers as well as those within your facility.
- Classify, classify, classify. Controls should be based upon the classification of data. The more sensitive and critical the information, the more safeguards that are necessary.
- Make security relatable and understandable. Start by identifying the individuals with the mobile devices that contain the most sensitive information.
- Undertake a functional exercise. Determine how those mobile devices are used, and how to best secure them based upon how they are used.
- Be prepared for devices that will inevitably get lost. Install remote wipe, geo-location, password protection and encryption on the devices.
Look at the slides to get more of the details for the above.
More tips
In addition to these, I recommend organizations of all sizes also do the following for mobile computing device security and privacy:
Inventory
- Maintain a constantly updated and comprehensive business computing device inventory, including all types of mobile computing devices.
- Include not only the devices owned by your organization, but also the devices owned by your employees and contracted workers that are also used for your organization’s various business activities, data access and storage.
- Be sure to document the types of data stored on each mobile device.
Tracking the devices
- As stated in the IBM slides, use tracking software on the hardware, such as those that incorporate the use of RFID tags, and/or GPS locators. Be sure to use software that will report the information back to an authorized person or team that is responsible for maintaining the device inventory and not post it to a public site.
- Be sure to follow any existing, or implement new, policies for appropriate use of RFID and GPS locators. Be sure to address the accompanying privacy issues (e.g., tracking after work hours) within the policies.
- Avoid disclosing geo-location data to public online sites while doing work activities. Third-party mobile device applications (“apps”) may invite you to “check in” or otherwise post or disclose your exact physical location. The physical location could reveal confidential information about customers or business activities, which could cause a problem.
- Turn off online location reporting tools and apps on mobile devices, and turn them on only when location needs, or could be beneficial, to be known by others.
Photos and videos
Some good guidelines to follow when using mobile devices, including wearables such as Google Glass or iWatch:
- Do not take photos or vides of anything containing personal information and send through public networks, or store on the device, without first encrypting them.
- Do not take photos or videos of any personal information within work areas, or while doing work activities.
- Do not take a photo or video of any sensitive activities, such as surgical procedures, without written authorization from the facility and patient.
- Do not post any photos or videos that include personal information obtained while doing work activities to Facebook, Instagram, or any internal or any other social media sites.
Data retention
- Do not retain data, videos or photos that include personal information on mobile devices for any longer than necessary to support the purposes for which they were collected.
- Irreversibly remove all personal information from mobile computing devices prior to disposing of them, or giving them to others to use.
Unauthorized users
- Do not allow others, such as family members or friends, to borrow, use or inspect mobile devices that are used for business purposes.
- Maintain possession and control of mobile computing devices to avoid loss and theft.
Wearable computing devices
- Wearable computing devices (such as smart glasses, smart watches and other emerging wearable data collection technologies) have privacy concerns for many. Do not wear such computing devices within client sites, or other types of business areas, unless they have approved of such use.
- Never use wearable computing device in areas where privacy is necessary, such as in restrooms, dressing rooms, and so on.
Third party data sharing
- Do not share data collected on mobile devices with third parties unless appropriate contracts are in place and safeguards have been validated.
- Document all third parties with whom mobile computing device data is shared, and that have access to mobile computing devices.
Security settings
- Require at least two-factor authentication for business applications to which all types of mobile devices access.
- Internet connections for mobile, including wearable, computing devices used for business purposes should be configured to use the business network. This will provide IT with the ability to monitor and filter the communications link of the wearable devices used for business purposes.
Of course many additional steps need to be taken to have a comprehensive information security and privacy compliance program. But these topics are the ones most often overlooked, but important to address.
Bottom line for organizations of all sizes…
Every business, of any size, in any location, that uses mobile computing devices during the course of business (and you would be hard-pressed to name any that truly do not) need to have mobile computing device information security and privacy policies and procedures in place. And make sure all your folks know, and follow, the policies.
This post was written as part of the IBM for Midsize Business (http://Goo.gl/t3fgW ) program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.
Tags: audit, awareness, BA, BA Agreement, BA contract, BAA, business associate, compliance, covered entity, data protection, disclosure, due diligence, Google Glass, IBM, incidental, Information Security, information security policy, infosec, iWatch, midmarket, mobile device, non-compliance, outsourcing, personal information, personal information identifier, personal information item, PHI, PII, policies, privacy, privacy laws, privacy policy, privacy professor, privacyprof, protected health information, Rebecca Herold, risk assessment, risk management, security, security procedure, subcontractor, third party, training, vendor, vendor contract, vendor oversight, wearable device, wireless