Loss of brand and market share. This is not just a recent concern for Tiger Woods (or better yet the PGA, Nike, etc), but also for you and your company.
In my previous article, I wrote about the threat of malware to your mobile devices. In actuality, the biggest threat to your company (or data) is the physical loss of your device. The “Tiger Mobile Incident” as I like to call it (hmm TMI, that works on a few levels) is an excellent example of this.
I last wrote that protecting against mobile malware is an issue of social engineering and user education/awareness and not always an issue of technical controls around the device. In this case, physical protection of the device is about the technical controls of the device and user eduction/awareness (let’s face it, it’s always about end user education/awareness).
Here are some suggested minimum guidelines for what you should have deployed for your mobile management:
- Mange the device – Seems simple, but my guess is that there are many devices being used in corporate environments that are not under any management.
- Have a password policy (and of course, enforce it) – This is the hardest control for end users to get used to. Gone is the freedom of just picking up your device and using it. Remember if it’s that easy to access to for you, it’s just as easy for a thief to access (or your wife, right Tiger?)
- Have a short inactivity timeout – The most common places that cell phones are lost and quickly picked up are cabs and airports. In both cases, it’s unlikely that the devices are returned. If you do not have a short inactivity timeout before you phone locks itself, you are at risk of the data being access prior to the device locking.
- Have the ability to remotely wipe the device – This capability varies based on mobile device as well as device management platform. Regardless of which you choose, the ability to kill the device or wipe the data is recommended. (side note: in areas of data loss disclosure, this may help keep you out of a lot of trouble).
- Utilize encryption when possible – depending on the device, you may have the ability to encrypt all of, or at least the important, data.
Mobile Device Management (MDM) platforms typically have these, plus many more controls depending on the software and the devices managed. These need to be aligned to your organizations needs and your particular risk tolerance.
These technical controls help mitigate the risk of data loss if a device is physically lost, but we still have the issue of end user awareness. Often we like to use personal references as much as possible in our end user awareness programs. When you can make something relate to your personal life, it makes it easier to understand. We now have Tiger to thank for a great scenario to present to all end users that they will be able to understand and remember.
Now if Tiger had only had his phone locked…