1. Cybersecurity
in the Age
of Mobility:
Building a Mobile Infrastructure
that Promotes Productivity
An Economist Intelligence Unit
research program sponsored by
Booz Allen Hamilton
2. List of Interviewees About the Survey
Chua Kim Chuan Director, Identity & Security In August 2011, the Economist Intelligence Unit
Services, Information Systems Division, MOH conducted a global survey, sponsored by
Holdings Pte Ltd., Singapore Booz Allen Hamilton, of 340 executives to assess
Tom Downey Director of Excise and Licensing
attitudes toward cybersecurity in the age of
of the City of Denver, Colorado, USA mobility. About one-half (51 percent) of survey
respondents are board members or C-level
KEITH GORDON SVP, Security, Fraud and
executives, including 74 CEOs. The respondents
Enrollment Executive at Bank of America for
are based in North America (31 percent), Western
online and mobile channels, USA
Europe (29 percent), Asia-Pacific (27 percent),
AnDrew McIntyre CEO, Medical-Objects Middle East and Africa (6 percent), Latin America
Pty Ltd, Australia (5 percent), and Eastern Europe (3 percent).
Patty Mechael Executive Director, More than one-half of the survey respondents
mHealth Alliance, USA (55 percent) work for companies with global
annual revenues exceeding US$500 million.
Mark Olson CISO, Beth Israel and
Nineteen different industries are represented in
Harvard Medical School, USA
the survey sample, including financial services
Neil Robinson Senior Analyst, RAND Europe (21 percent); healthcare, pharmaceuticals, and
Rajesh Yohannan Regional Head of biotechnology (13 percent); professional services
e-Business, Citibank Asia (9 percent); transportation, travel, and tourism
(9 percent); IT and technology (7 percent); and
manufacturing (7 percent).
3. Contents
Executive Summary................................................................................................................... 2
Introduction................................................................................................................................. 3
The Benefits of Mobility........................................................................................................... 5
Mobility Hazards and their Remedies................................................................................. 7
Loss of Mobile Devices............................................................................................................. 8
Vulnerability from Downloads.............................................................................................. 9
Sidebar: Financial Services: Pushing the Envelope......................................................10
Inefficient Back-up Procedures...........................................................................................11
Responding to Mobile Security Challenges...................................................................12
Proper Back-up Procedures..................................................................................................13
Network Security and Remote Access..............................................................................13
Developing Company Policies and Leadership............................................................14
Sidebar: Healthcare: Meeting Opportunities as Well as Threats.............................15
Conclusion..................................................................................................................................16
About Booz Allen.....................................................................................................................17
About Economist Intelligence Unit...................................................................................17
Cybersecurity in the Age of Mobility 1
4. Executive Summary
• The as c endanc y of mobil e co mp ut i ng o f f er s co mpa n i e s e n orm o u s
opportunities to improve productivity, while presenting them with a
series of new security challenges. The ubiquity of mobile devices encourages
more people to take care of routine matters via simpler online apps. It also has the potential
to make structural enhancements in productivity. But to capitalize on these benefits,
companies will have to tackle a host of challenging new security issues.
• The rapid rise of mobile devices has led to a corresponding rise in mobile
cyber threats. Mobile devices are more likely to be lost through theft, accident, and
negligence. The “app store” culture of mobile devices leads to promiscuous downloads of
risky software by end-users. Mobile devices are likely to be connected through unsecured
and even hostile “Wi-Fi” network access points. And mobile devices are more likely to be
treated by the end-user as personal property not subject to the usual security practices
of the organization.
• The move to cloud computing is complicating the task. The most fundamental
organizational response involves setting up frequent and easy-to-use back-up procedures
for mobile devices. But organizations have incomplete and inadequate traditions for
backing-up and securing data stored in mobile devices. Giving employees “anytime,
anywhere” access allows them to be more productive, but that access inevitably weakens
the central network’s defenses against intruders. Some organizations respond by setting up
finer-grained controls over remote access.
• The most fundamental problem with mobile security is a lack of awareness.
Companies should make educational efforts on mobile computing a company priority.
Cyber-mobility policies need to address personal use, privacy, security of connection, and
how to handle missing or stolen devices.
• IT departments need to suggest new mobile technologies to other functions
to demonstrate that they want progress and can take the lead in implementation.
To do so, it is important to construct explicit projects with defined targets, benefits, costs,
and budgets. It is also important to set milestones of success and assess the value that
security provides. • •
2 Cybersecurity in the Age of Mobility
5. Introduction:
The Magnitude of
the Challenge
Mobile devices have taken the world by storm. The Economist Intelligence Unit estimates that
four billion people use mobile devices of one kind or another. Three billion are using feature phones
to call and text, but one billion are now using smartphones to access the Internet as well. The global
movement to smartphones is still in its infancy. The devices are likely to experience double-digit sales
growth for the next 5 years as the world builds out 3G wireless networks and the devices themselves
become more powerful.
The move to smartphones will have a profound a host of challenging new security issues
qualitative impact on computing. In 2014, more discussed in this report.
people will be accessing the Internet through
Both opportunity and difficulty lie clearly visible.
mobile devices than via desktops, if current
According to the global survey of senior executives
trends continue. This will change the nature of the
conducted for this report, organizations are
global workplace. The Internet will be much more
already moving with determination to gain
pervasive and embedded—the computing power
an advantage. Four in 10 executives (42 percent)
necessary to perform many work tasks will be
say their organizations have revised business
always on and available almost everywhere.
strategies in the past 3 years to reap the benefits
The ascendancy of mobile computing offers of cyber mobility. The biggest problem caused by
companies enormous opportunities to improve cyber mobility, according to the same executives,
the productivity of a company’s employees. A few is new security threats (cited by 62 percent).
companies will continue to restrict their operations Information is becoming a more central and
to a traditional workplace. But the vast majority essential organizational asset. Balance-sheet
will have to harness cyber mobility to remain health has less to do with inventories of iron ore
competitive. To do so, they will have to tackle or shipping containers, and more to do with the
A Definition In this report, and in the survey conducted for this report, cyber mobility is broadly
defined as “the ability to work anywhere (i.e., remotely from the office) through the use of mobile device(s),
such as laptops and cell phones, and other devices that are connected to the Internet and are often used
to enhance productivity.”
Cybersecurity in the Age of Mobility 3
6. “Balance-sheet health has less to do with inventories
of iron ore or shipping containers, and more to do
with the knowledge held by experienced employees
and digital records about prospective customers. ”
knowledge held by experienced employees and This report, written by the Economist Intelligence
digital records about prospective customers. Unit and sponsored by Booz Allen Hamilton,
Techniques for protecting and managing those explores cyber mobility and its security challenges.
intangible assets lag behind our needs, however. It details how—for a motivated and alert
Even in the face of compliance laws including organization—security can be not just a problem,
Sarbanes-Oxley, HIPAA, and PCI, massive data but also a strength.
breaches regularly occur.
F igure 1 Rapidly Rising Connectivity
120 Mobile Cellular Subscriptions per 100 Inhabitants, 2000-2010
100
Internet users/per 100 inhabitants
80
60
40
20
0 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Developed World Developing
The developed/developing country classifications are based on the UN M49. See: http://www.itu.int.int/ITU-D/ict/definitions/regions/index.html
Source: ITU World Telecommunication/ICT Indicators database
4 Cybersecurity in the Age of Mobility
7. Glossary of Common Mobile Security Terminology
App: Short for from all hazards to “centralized” or mobile devices, often
“application,” which is to data health, “moated” security, distributed via e-mail or
typically downloaded whether intentional which emphasizes app stores
from an app store or accidental, within safety behind firewalls Phishing: An attempt
Cloud Security: Security the data center or at a
MitMo: Short for “man to get users to click
moves from “manual” remote location; DLP
in the mobile”, which is on a malicious link
protection of individual generalizes “back-up”
a type of malware that typically embedded in
devices to the cloud, and “disaster recovery”
allows the perpetrator an e-mail or SMS
where a third-party
Endpoint Security: to monitor what the
provider is usually Security Token:
The idea that each remote user does on
responsible Typically a small
individual device (an the screen
DLP: An acronym for physical device
endpoint) should be
Data Loss Prevention, Mobile Malware: Short through which
secured, as opposed
DLP unifies protection for malicious software users authenticate
specifically designed for themselves
The Benefits of Mobility
Mobility offers many benefits to businesses The ubiquity of mobile devices provides another
but the core opportunity is enhanced staff benefit: It also encourages more people to take
productivity. Employees who are more connected— care of routine matters immediately, via simpler
on the road or at home—are more efficient. In online apps, rather than waiting for somebody
a 2011 report from the US Office of Personnel to help them. The US public sector is making
Management (OPM), 31 out of 33 federal agencies the most of this trend by offering more mobile
that track telework programs said they believed government (m-government) information and
that enhanced productivity was the greatest services to constituents. Tom Downey, Director of
benefit of mobility. “Look at the tablet technology,” Excise and Licensing of the City of Denver, Colorado,
says Mark Olson, CISO at Beth Israel and Harvard emphasizes that migration to online “e-systems”
Medical School. “A physician can pull up specific allows more citizens to “self-serve,” freeing trained
results and tests on the iPad to show at the staff to shift attention to strategic efforts.
patient’s bedside.” In addition, he notes, physicians
can review information on the go, even walking
between buildings, to enhance their productivity.
Cybersecurity in the Age of Mobility 5
8. “One-quarter of executives say their
organization relies on cyber mobility to
an overwhelming extent, and another
80 %
of executives also say
mobile devices will be
49 percent say it is of equal importance more important to their
work 3 years from now
to productivity as other factors.” compared with today.
Cyber mobility can do more than boost productivity Given the potential benefits, organizations are
in a quantitative way: It also has the potential to increasingly relying on mobility. One-quarter
make structural enhancements in productivity. of executives say their organization relies on
Putting an iPad in a doctor’s hands can improve cyber mobility to an overwhelming extent, and
face-to-face encounters with patients, but it can another 49 percent say it is of equal importance
have more dramatic effects when the physician to productivity as other factors. Eighty percent
is away on rounds at a different facility. If new of executives also say mobile devices will be
results arrive for a patient, a nurse can update the more important to their work 3 years from now
physician, transmit test results, receive instructions compared with today.
based on the physician’s assessment of those
Mobility also allows companies to:
tests, and start a new procedure hours before the
physician is scheduled to return. In this situation, • Launch and evaluate projects more quickly
little of the doctor’s time is saved, but the impact and with less overhead
on patient well-being might be enormous. More • Improve service quality, allowing them to
generally, cyber mobility’s greatest potential is sidestep competition based on price
not merely in saving costs, but in yielding greater
results in revenues, profit, or other output measures.
• Improve the length and intensity of
customer relationships.
Mobility also offers benefits on a more strategic
Survey respondents agree about the key benefits
level: It allows companies to extend their business
of mobility. Flexibility (chosen by 89 percent)
and their brand beyond the bounds of the physical
and increased productivity (75 percent) are
setting of their company. A well-designed mobile
overwhelmingly cited as benefits, while a smaller
app allows a retail company to sell to customers
number also say cost savings (24 percent). These
anytime and anywhere—far from its bricks-and-
potential benefits have caused more organizations
mortar locations. For strategic executives, this is
to rely on mobile devices.
the ultimate goal: to be able to scale a good brand
experience across town or across a continent.
Cyber mobility opens the possibility for brand
scaling beyond traditional approaches limited by
physical presence.
6 Cybersecurity in the Age of Mobility
9. F igure 2 In your view, what are the biggest benefits associated with cyber mobility?
Select up to three.
Greater work flexibility 89%
Increased productivity 75%
Decentralization of key business operations 25%
Lower cost structure 24%
Improved innovation 17%
Taking advantage of new market opportunities 12%
Greater understanding of important future trends 9%
Increased revenue growth 5%
Increased profitability 4%
Deepened knowledge of consumer trends 4%
Other, please specify 3%
Don’t know 1%
Source: Economist Intelligence Unit survey, August 2011
Mobility Hazards and their Remedies
Companies that want to take advantage But hostile actors may be growing faster than
of the widespread promise of mobile devices the mobile sector itself. According to Cisco’s
will have to face a number of important security 2010 Annual Security Report, improvement in
issues. The rapid rise of mobile devices has led traditional computer security awareness has led
to a corresponding rise in mobile cyber threats. cyber criminals to target mobile users since the
In 2010, security company McAfee reported latter are generally less knowledgeable about the
an increase in mobile malware by 46 percent, threats facing them and are, therefore, easier prey.
compared with the previous year.
Cybersecurity in the Age of Mobility 7
10. The threats are fueled by a number of issues: • Organizations have incomplete and inadequate
• Mobile devices are more likely to be lost traditions for back-up and securing data stored
through theft, accident, and negligence; in mobile devices; and
• The “app store” culture of mobile devices • Mobile devices are more likely to be treated
leads to promiscuous downloads of risky by the end-user as personal property not
software by end-users; subject to the usual security practices
of the organization.
• Mobile devices are particularly apt to be
connected through unsecured and even
hostile “Wi-Fi” network access points;
Loss of Mobile Devices
The increased use of mobile devices has made issue. He notes people often put a lot of sensitive
loss of the device an important problem. “You information into their phones. They set up e-mail
don’t lose your desktop,” says Rajesh Yohannan, accounts, store passwords, and download apps
Regional Head of e-Business, Citibank Asia. such as Facebook, which allows them to be signed
Yohannan notes that most of the data kept on in at all times. A cyber criminal who came across
mobile devices are recoverable because most their device would have instant access to all of the
organizations and individuals back up crucial data on the device and on the apps associated
assets, and the actual device can be replaced. with it. That would allow them to correlate this
He is particularly concerned, however, about information against other data sources and do
protecting the data on a lost mobile device from significant damage. “You steal a phone for its
cyber criminals. virtual value—the information that is on it, the
passwords that are stored there, e-wallet type
Keith Gordon, SVP, Security, Fraud and Enrollment
programs,” agrees Neil Robinson, Senior Analyst
Executive at Bank of America for online and
at the RAND Europe think tank.
mobile channels, USA, is also concerned about this
“A cyber criminal who came across their device would have instant access to
all of the data on the device and on the apps associated with it. That would
allow them to correlate this information against other data sources and do
significant damage.”
8 Cybersecurity in the Age of Mobility
11. Vulnerability from Downloads
Unsuspecting users often download indicating that they are downloading apps to a
unfamiliar apps and information to their mobile great extent and that they also mix business and
device. “Cyber crooks see it as an opportunity personal use. Yohannan says users must be more
because awareness is low,” says Yohannan. In the careful of what they download and points out that
survey conducted for this report, about one-half of this includes e-mail attachments, which are rarely
all executives confirm that they have downloaded scanned for viruses or malware.
an app for business use as well as personal use,
F igure 3 Which of the following activities have you done on your mobile device(s) in the
past three years? Select all that apply.
Checked business email 92%
Made a business phone call 90%
Browsed the Internet 87%
Made a personal phone call 84%
Checked personal email 76%
Downloaded an app for business use 54%
Downloaded an app for personal use 51%
Downloaded a security update 51%
Other, please specify 6%
I don’t have a mobile device 2%
Source: Economist Intelligence Unit Survey, August 2011
Cybersecurity in the Age of Mobility 9
12. Financial Services:
Pushing the Envelope
Financial services are moving to take advantage of mobile computing
51%
platforms in a big way. “The way we communicate with our customers and
the way we market our services is changing radically,” says Rajesh Yohannan,
Regional Head of e-Business, Citibank Asia. In the 18 months since it started its
Asian mobile banking service, Citibank already has 500,000 users signed up.
of financial services
executives say their Financial services executives queried in the survey conducted for this report
organization has revised its
business strategy to reap
are promoting mobility to a greater extent than their peers in other sectors.
the benefits of mobility... For example, 34 percent of them say their industry relies on mobility to
enhance productivity compared to 21 percent of executives as a whole.
Half (51 percent) of financial services executives also say their organization
compared to... has revised its business strategy to reap the benefits of mobility compared to
42 percent of respondents as a whole.
42 %
But the financial services industry faces greater risks than others. Individual
hackers and organized crime groups are actively seeking to exploit the slightest
vulnerabilities. Keith Gordon, SVP, Security, Fraud and Enrollment Executive
at Bank of America, who conducts a monthly intelligence review of the top
threats to the bank, says endpoint security was his biggest concern in early fall
of respondents 2011. That was followed by customer spoofing—such as phishing, application
as a whole
security, mobile malware, and data loss. To improve security, Bank of America is
doing three things: “We have pre-built security into our applications, we don’t
store any unnecessary data on the phone, and any data stored is encrypted,”
Gordon says.
Banks are also keeping a closer tab on the evolution of threats and informing
customers about their risks. “We scan forums where cyber criminals hang out
to track attacks even before they happen,” confirms Yohannan, who goes on to
explain that many perpetrators will discuss upcoming attacks with their peers
before executing them. Citibank has a group of people dedicated to this cause,
while other groups look to deal with the actual attacks and their aftermath.
Educating consumers is another way to improve security. Like many others,
Bank of America will proactively alert customers when there is unusual
account activity. A more innovative approach taken by the bank is to give
their customers one free year of protection from McAfee, a security software
company, in the hope that those customers will value the McAfee service and
continue to use it beyond the trial period, according to Gordon. • •
10 Cybersecurity in the Age of Mobility
13. App stores pose a different problem. In response to One of the biggest threats in this area has been
the growing number of attacks via malicious apps, various versions of Zeus MitMo, a malware that
the European Network and Information Security hides in the background of mobile apps and
Agency (ENISA), the agency overseeing Europe’s allows the perpetrators to gather information from
cybersecurity, published a report in September unsuspecting users. “We have seen a big uptick in
2011 about the security implications of app stores. malware, such as Zeus for mobile,” says Gordon,
It found that today’s malicious apps target a variety whose company tracks the top five threats against
of platforms and can tap into smartphone data, them on a monthly basis (also see sidebar on
from business e-mails to phone calls. “Consumers page 10).
are hardly aware of this,” said the authors of the
report, Dr. Marnix Dekker and Dr. Giles Hogben.
Inefficient Back-up Procedures
In principle, proper back-up procedures make it That change has also lead to shifts in responsibilities.
possible to recover data lost on a physical device. In this new environment, back-up procedures
But typical back-up procedures for mobile devices are typically conducted by the cloud providers.
leave a lot to be desired. Data are backed up “Companies of all sizes and individuals are at the
incompletely and, often, insufficiently. mercy of providers,” agrees Robinson. Survey
respondents also say the third biggest problem
It is also difficult to determine exactly what data
caused by cyber mobility in their organization today
need to be backed up because the nature of
is the loss of control over data (cited by 34 percent).
“data” has changed. “Everything used to be stored
on the device,” says Robinson. “But nowadays Respondents agree with the commonly cited
cyber mobility is hard to separate from cloud risks associated with mobility. They are concerned
computing.” Because of this, mobile security has to that their mobile device will be compromised
be closely tied to cloud security. Concentrating on as a result of loss (66 percent) and poor back-up
endpoint security by backing up individual devices procedures (55 percent). Downloads were fourth
is becoming less important than cloud security— on the list of concerns (cited by 51 percent) after
making sure the cloud data scattered across the the use of insecure networks (52 percent), another
world are secure. growing problem which is associated with using
various connections in remote locations.
Cybersecurity in the Age of Mobility 11
14. The survey also revealed users may claim a higher compromised. Yet, 64 percent say efficiency gains
degree of awareness regarding security than they outweigh any potential security risks when it comes
put into practice. Nine out of 10 say they would to working remotely, and 68 percent say the same
alter their usage if they learned that it is likely that about the use of mobile devices.
the information on their mobile devices can be
Responding to Mobile
Security Challenges
Organiz ations that wa nt to tak e and renewal. At a tactical level, our survey
advantage of the benefits of mobility must shows attention in this area currently is focused
find a way to face the security challenges that on back-up procedures, security of remote
come with them. Even explicit policies often access, and movement towards interoperability
remain incomplete; in any case, part of the nature and standardization.
of security is a demand for continuing vigilance
F igure 4 Which of the following areas are covered by your organization’s policy regarding
the use of mobile device(s)? Select all that apply.
Personal use 78%
Privacy 71%
IT support 69%
Use of secure/insecure wireless connections 68%
Security software 64%
Missing or stolen devices 64%
Downloads (apps/games/other) 62%
Backup procedures or data loss 58%
The guidelines are general and I am not aware of
my organization having any specific policies 6%
Other, please specify 3%
Don’t know 0%
Source: Economist Intelligence Unit survey, August 2011
12 Cybersecurity in the Age of Mobility
15. Proper Back-up Procedures
The mos t fundamenta l organizational Some organizations respond by setting up finer-
response involves setting up frequent and easy- grained controls over remote access: someone
to-use back-up procedures for mobile devices. But with accounting responsibilities, for example,
the move to cloud computing is complicating the might be permitted to prepare reports, but not
task. “This is where everyone struggles and we do to transfer funds remotely. Olson says remote
as well,” Mr. Olson admits. Backing up the data is access to his organization is controlled via a series
relatively straightforward. The bigger problem is of security steps, including software installation,
securing the data in case the device is lost. a secure sockets layer (SSL) connection, a virtual
private network (VPN) and, of course, regular
To deal with the possibilities of lost devices,
changes of passwords.
Olson tries to limit the amount of data resident
on a particular mobile device and encrypts it. In Singapore, Chua Kim Chuan, Director of
“We use an approach where data are fetched, Identity & Security Services, Information Systems
viewed, and destroyed, in order not to leave any Division, MOH Holdings, the holding company
information resident on the device,” he explains. of Singapore’s public healthcare assets, also uses
All information is stored at a central data center. end-to-end encryption and strong authentication
From there, he can recover what was on the procedures. But Mr. Chua Kim Chuan goes one
device at all times (regardless of whether the step further by requiring that employees carry
actual device is recovered or not). Inevitably, small devices that generate numeric “one-time”
however, a small amount is still left on the device. passwords. These information tokens add a
To deal with this problem, he adds a remote physical element to the authentication process.
wiping capability that allows him to erase data
“The trickiest part is to design a process that is easy
remotely if the device is lost.
while providing security,” says Mr. Chua Kim Chuan.
Neil Robinson agrees. “If there are too many steps
and passwords, then users will write them down,”
Network Security he says. Writing instructions on paper, of course,
defeats the whole purpose of a security procedure:
and Remote Access If someone finds that piece of paper, the system’s
security collapses. To balance convenience and
safety, many organizations still require only a
Another big problem involves controlling how
user name and password—even for remote
mobile devices get remote access to organizational
access. However, a number of studies have
networks. Giving employees “anytime, anywhere”
shown that this combination is inadequate in
access allows them to be more productive, but that
most security situations.
access inevitably weakens the central network’s
defenses against intruders. A remote connection
can serve as a pathway that allows a malicious app
to access other users on the internal network.
Cybersecurity in the Age of Mobility 13
16. While 71 percent of respondents agree that their of scenarios, respondents are least confident with
organization has taken security measures regarding regard to mobile devices: Only 22 percent say they
mobility, the quality of policies in this area may be are well prepared in this area, compared with
uneven. When asked how prepared their organization 50 percent who say the same about online access
is to address security or privacy threats in a variety and 59 percent about the use of desktop computers.
F igure 5 How prepared is your organization to address security or privacy
threats to the following?
The physical office location 100%
59% 37% 3% 1%
The use of desktop computers 100%
59% 38% 2% 1%
Online access 100%
50% 43% 5% 1%
Mobile device(s) 100%
22% 63% 14% 2%
Well prepared Somewhat prepared Not at all prepared Don’t know
Source: Economist Intelligence Unit Survey, August 2011
Developing Company
Policies and Leadership
Mobility is increasingly pervasive, and awareness. Yohannan believes the lack of
organizations must capitalize on it to remain awareness is pervasive in organizations and
competitive in the marketplace. Organizations is not limited to users of mobile devices.
must take a number of steps to respond to security Educational initiatives need to start within the
challenges that mobility presents: organization. “We educate senior executives
about security in terms they can understand,”
• Make educational efforts on mobile computing
explains Gordon. To educate users about
a company priority. The most fundamental
phishing, he will show them an actual phishing
problem with mobile security is a lack of
14 Cybersecurity in the Age of Mobility
17. Healthcare: Meeting Opportunities
as Well as Threats
Th e h e a lt h c a r e i nd u stry h a s gre at h op e s f or m o b i l e co mp u t i ng.
It is increasingly using mobility to enhance the productivity and flexibility of
its operations and to meet demands from patients. Electronic health (e-health)
initiatives are the most commonly cited benefit on the horizon. These initiatives
typically focus on developing electronic medical records (EMRs), which allow
employees to evaluate results remotely and communicate information quickly.
Telemedicine (tele-health) allows doctors to see their patients virtually and consult
them at a distance.
“From a security perspective, we have to look at all of this and see how we can
enable it,” says Mr Olson about the future of digital healthcare. The industry is at
a particular risk from mobility given the sensitive data it handles in the form of
patient records. “We are mostly targeted for the information we hold about people
and identity theft is our biggest threat,” observes Mr Olson. The primary suspects,
therefore, are organized crime groups, rather than nation-states or thrill-seeking
hackers. Their goal is to get a name and an address they can validate with another
source. “The more data they can correlate, the more value it has on the black
market,” he explains.
To deal with the threat, health organizations are creating a variety of security
policies. Survey results lend support to the idea that healthcare is a leader in policy
development. 84% of healthcare respondents say they have a policy regarding the
use of mobile devices compared to 77% in other industries. According to survey
responses, the policies adopted by healthcare organizations also cover important
aspects of security to a greater extent, such as privacy (89% vs 71%) and missing or
stolen devices (78% vs 64%).
The most pressing problem now, according to Andrew McIntyre, CEO of Medical-
Objects Pty based in Australia, is not the lack of policy, but its implementation
on the end-user side, as users of technology tend to trust vendors. Even in cases
where suppliers clearly understand security matters, they feel little incentive to
educate end-users focused on features and functionality outside the security
domain. In addition to traditional logins and passwords, Dr McIntyre is promoting
enhanced interoperability and better client-side security procedures, such as use
of security tokens. “We can encrypt the transfer of data but we are stuck with a
password to access it,” he says about the challenge to improve standards in the
industry. “While the technology exists for client side tokens, virtually nobody uses it.”
One way in which to overcome such challenges, according to Mr Olson, is for the
security team to push new products to the healthcare professionals, instruct them
in their benefits, and demonstrate their use. “By doing that we are out in front of the
partnership and we can control expectations and parameters of use,” he suggests. • •
Cybersecurity in the Age of Mobility 15
18. e-mail used by hackers. “Our dashboard has • Encourage IT departments to lead by example.
both the simple terminology as well as the IT departments are often seen by other
technical one, but in the future I hope it will functions as an obstacle to greater mobility
only have one,” he says about his initiatives to because they insist on various security policies.
educate management. This can encourage IT departments to resist
• Create comprehensive mobile security the latest technologies before proper security
procedures. If there are no mandated security is in place or to establish too many passwords
standards, or if interoperability is an issue to access a system. “Security teams should be
in secure communication, companies need enabling teams rather than disabling teams,”
to set the standard internally. “There is no stresses Olson. IT departments need to suggest
substitute for strong policies,” says Olson, who new mobile technologies to other functions
is constantly looking to enhance security in his to demonstrate that they want progress and
organization. It is also important to make sure can take the lead in implementation. To do
strong policies and standards are executed well this, it is crucial to construct explicit projects
and enforced properly. At the very least, cyber with defined targets, benefits, alternatives,
mobility policies need to address personal use, costs, and budgets. It is also important to set
privacy, security of connection, and how to milestones of success to manage project risk,
handle missing or stolen devices. and develop technical capabilities to assess the
value that security provides.
Conclusion
The s takes asso ciated w it h fa i l i ng to e s ta b l i s h pro per m o b i l e s ec ur it y a r e h ig h.
The costs associated with loss of a single customer record can be greater than a multiple of the lifetime
revenues expected of that customer.
Companies also need to construct written goals with objective criteria and track successes and failures
associated with mobile security. They need to demonstrate to employees and customers that the
organization is committed to mobile security. They need to keep stakeholders informed about the
company’s experience with mobile security issues, and monitor the impact of these efforts.
Security itself is often conceived in negative terms: data not leaked, lawsuits avoided, and authentication
nuisances reduced. Once companies do these steps well, they will find that security becomes a positive
value—customers and employees will become more comfortable and confident doing business with an
organization known for its security leadership. • •
16 Cybersecurity in the Age of Mobility
19. About Booz Allen Hamilton
Booz Allen H amilton i s a l e adi n g prov id e r of management and
technology consulting services to the US government in defense, intelligence,
and civil markets, and to major corporations, institutions, and not-for-profit
organizations. Booz Allen is headquartered in McLean, Virginia, employs more
than 25,000 people, and had revenue of $5.59 billion for the 12 months ended
March 31, 2011.
Booz Allen understands that cybersecurity is no longer just about protecting
assets. It’s about enabling organizations to take full advantage of the vast
opportunities that the ecosystem of cyberspace now offers for business,
government, and virtually every aspect of our society.
Those opportunities can be imperiled, however, by rapidly emerging cyber
threats from hackers (hacktivists), organized crime, nation states, and
terrorists. We help our clients in both business and government understand
the full spectrum of threats and system vulnerabilities, and address them
effectively and efficiently.
Booz Allen believes the key to cybersecurity today is integration—creating
a framework that “thinks bigger” than technology to encompass policy,
operations, people, and management. Through this Mission Integration
Framework, organizations can align these essential areas to address the real
issues, and develop cyber strategies and solutions that keep pace with a fast-
changing world.
To learn more, visit www.boozallen.com. (NYSE: BAH)
About the Economist Intelligence Unit
The Economist In t e l l ige n c e U n it i s pa rt o f t h e Eco n o m i st G r o up,
the leading source of analysis on international business and world affairs. Founded in
1946 as an in-house research unit for The Economist newspaper, we deliver business
intelligence, forecasting and advice to over 1.5m decision-makers from the world’s
leading companies, financial institutions, governments and universities. Our analysts
are known for the rigour, accuracy and consistency of their analysis and forecasts,
and their commitment to objectivity, clarity and timeliness.
Cybersecurity in the Age of Mobility 17