Managing Mobile Menaces


Published on

The use of laptops and smart phones is growing - and so exponentially, are mobile breaches. To protect highly sensitive corporate data, CIOs need to take risk strategies more seriously. These include centralized management, auditing and reporting, and policy enforcement.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Managing Mobile Menaces

  1. 1. Managing Mobile Menaces A Strategy for Managing Mobile Risks By Nalneesh Gaur, CISSP [email_address] Diamond Management & Technology Consultants
  2. 2. Mobile Technology Space is Crowded Wide Area (CDMA, WiMax, 3G) Plugged Special Purpose Connectivity Multi- Purpose Device Tablet PC Smartphone PDA Memory stick Local Area (Wi-Fi, BT) Digital Camera Notebook PC Mobile technology refers to the plethora of portable solutions that enable organizations to conduct business from anywhere at anytime Mobile Phone OnStar Next Slide MP3 Player GPS Slide 2
  3. 3. Mobility is Everywhere and Growing <ul><li>Mobile voice and data spending represented almost a quarter of FY 2005 telecom budget 1 </li></ul><ul><li>Two-third of US households and businesses now have wireless networks 1 </li></ul><ul><li>A seventh of the US households have a Smartphone 1 </li></ul><ul><li>The smartphone market grew over 70 percent in 2005, and will grow significantly during the next five years 2 </li></ul><ul><li>Microsoft estimates that there are nearly 12 million smartphone devices in use </li></ul>1 – 2006, Forrester Research 2 – 2006, In-Stat Research Next Slide Slide 3
  4. 4. Mobility Risks Stem from Data Breach <ul><li>Often the data on the mobile device is far more valuable than the device itself and must be appropriately protected </li></ul><ul><li>Breach of Personally Identifiable Information (PII) is governed by several state, federal and industry regulations, for example – HIPAA, GLBA, California SB 1386 and PCI </li></ul><ul><li>32 US states have passed laws requiring businesses to notify businesses in the event of a breach </li></ul><ul><li>More than 54% of all security breaches resulted from the loss of a laptop, mobile device or electronic backup – 2006 Ponemon Institute Report </li></ul><ul><li>Last year, antivirus vendors detected more than 200 phone viruses </li></ul><ul><li>Attack vectors such as spyware, phishing, pharming, malware, zero-day browser attacks, and botnets are climbing rapidly </li></ul><ul><li>According to Trend Micro, almost 30 types of malware have been found for the Windows smartphone device alone </li></ul>Next Slide Slide 4
  5. 5. Data Breach is a Business Issue <ul><li>Loss of PII, trade secrets and business documents in a data breach is a business issue beyond the IT department </li></ul><ul><li>A data breach results in both direct and indirect costs to the business </li></ul><ul><ul><li>Direct costs resulting from legal, correspondence and personnel costs </li></ul></ul><ul><ul><li>Indirect costs resulting from lost sales, legal liabilities and loss in customer trust </li></ul></ul><ul><li>Negative publicity is expensive and drains the confidence of buyers, partners, customers and investors </li></ul><ul><li>A study by McAfee finds that a third of respondents in the study believe that a major data-loss incident involving accidental or malicious distribution of confidential data could put them out of business </li></ul>Next Slide Slide 5
  6. 6. Combat Mobility Risks with MTRS Next Slide Slide 6 M obile T echnology R isk S trategy (MTRS) Governance Execution Roadmap Business Case Security Require-ments
  7. 7. Develop Business Case by … <ul><li>Assessing the threat of a data breach and its impact on the business </li></ul><ul><li>Quantifying the direct costs of the impact: </li></ul><ul><ul><li>The direct incremental cost of a data breach is $54 per lost record, according to an August 2006 Ponemon Institute report </li></ul></ul><ul><ul><li>Typically, the amounts are higher for smaller data breaches because the legal, correspondence and personnel costs are spread across a smaller base </li></ul></ul><ul><li>Identifying other indirect consequences: </li></ul><ul><ul><li>Fines and penalties—including civil and criminal penalties 1 for company officials found negligent in protecting customers' personal information </li></ul></ul><ul><ul><li>Class-action lawsuits, damage to market value, loss of business relationships and even bankruptcy </li></ul></ul>[1] HIPPA non-compliance entails civil penalty of $100 per violation and up to $25,000 per year for same violation; Criminal penalties of up to $250,000 and 10 years in prison for disclosure under false pretenses with intent to sell or use for commercial gain or malicious harm Next Slide Slide 7 M obile T echnology R isk S trategy (MTRS) Governance Execution Roadmap Business Case Security Require-ments
  8. 8. A Business Case is Based on Risks ARO = Estimate of frequency at which a threat will occur with in a year and is characterized on a annual basis. A threat occurring once in 10 years has an ARO of 0.1; a threat occurring 50 times in a year has an ARO of 50 PII = Personally Identifiable Information Financial Risks Business Risks <ul><li>Drop in stock price: On Feb. 1, TJX stock closed down more than $1 – 3.6 percent – to $28.49 a share, on volume that was three times the daily average owing to the data security breach </li></ul><ul><li>Loss of Business Relationship: Visa USA Inc. and American Express Co. stopped doing business with CardSystems </li></ul><ul><li>Damage to Brand Reputation: Study by Ponemon Institute finds that the loss due to customer churn averaged $2.6 million for companies with breached data. </li></ul>Next Slide Slide 8
  9. 9. Develop Governance Structure by … <ul><li>Identifying relevant business units likely to be impacted </li></ul><ul><li>Communicating the business case to the concerned business unit leaders </li></ul><ul><li>Establishing a steering committee by soliciting participation from: </li></ul><ul><ul><li>Marketing </li></ul></ul><ul><ul><li>Legal </li></ul></ul><ul><ul><li>Customer-relationship departments </li></ul></ul><ul><ul><li>Chief Security Officer (CSO) and other risk managers </li></ul></ul><ul><li>Defining the goals and objectives for managing the mobility risks </li></ul><ul><li>Writing a mobile policy </li></ul>Next Slide Slide 9 M obile T echnology R isk S trategy (MTRS) Governance Execution Roadmap Business Case Security Require-ments
  10. 10. A Mobile Policy addresses … <ul><li>Types of devices </li></ul><ul><li>Permitted technologies </li></ul><ul><li>Trusted devices </li></ul><ul><li>Data protection methods </li></ul><ul><li>Accessible information </li></ul><ul><li>Lost devices </li></ul><ul><li>Line-Of-Business (LOB) applications </li></ul>Slide 10 Next Slide M obile T echnology R isk S trategy (MTRS) Governance Execution Roadmap Business Case Security Require-ments
  11. 11. Develop Security Requirements by … <ul><li>Taking stock of your mobile assets </li></ul><ul><ul><li>Who uses mobile technology, and for what purposes? </li></ul></ul><ul><ul><li>What types of mobile technologies are being used? </li></ul></ul><ul><ul><li>How often and where? </li></ul></ul><ul><li>Understanding the information on mobile devices </li></ul><ul><ul><li>What data is stored on devices </li></ul></ul><ul><ul><li>What types of information are exchanged between a device and business systems? </li></ul></ul><ul><li>Understanding existing protection measures </li></ul><ul><ul><li>What authentication mechanism protects the device? </li></ul></ul><ul><ul><li>What data is encrypted? </li></ul></ul><ul><li>Understanding existing processes </li></ul><ul><ul><li>What software is used to synchronize or back up mobile devices? </li></ul></ul><ul><ul><li>What process is in place to retire or dispose of the equipment? </li></ul></ul><ul><li>Tracking emerging mobile technologies </li></ul>Next Slide Slide 11 M obile T echnology R isk S trategy (MTRS) Governance Execution Roadmap Business Case Security Require-ments
  12. 12. Develop Execution Roadmap by … <ul><li>Developing and prioritizing the technical, procedural, and organizational solution in concert with requirements </li></ul><ul><li>Developing a project schedule in accordance with identified priorities </li></ul><ul><li>Identifying and evaluating vendor technologies in accordance with the project schedule </li></ul>Next Slide Slide 12 M obile T echnology R isk S trategy (MTRS) Governance Execution Roadmap Business Case Security Require-ments
  13. 13. Business Derive Benefits from Mobility <ul><li>Efficiency: Drastically reduces the use of paper and results in improved accuracy </li></ul><ul><li>Workforce Enablement: Due to flexible data input options, smaller form factor, mobility and real-time access to information. Example use-cases include: </li></ul><ul><ul><li>An attendant at a car rental agency uses a PDA to process a vehicle return </li></ul></ul><ul><ul><li>A remote diagnostic center sends a patient's EKG to a physician's Smartphone </li></ul></ul><ul><ul><li>A retail store sales person uses a PDA to perform inventory and price checks </li></ul></ul><ul><ul><li>A physician uses a tablet PC to review a patient chart, annotate X-rays, collect patient data, check lab results and write prescriptions </li></ul></ul><ul><ul><li>An insurance-claims adjuster uses a Smartphone to photograph and instantly file evidence in an incident </li></ul></ul>Next Slide Slide 13
  14. 14. Questions? Click on the questions tab on your screen, type in your question (and name if you wish) and hit send.