Cybersecurity in the Age of Mobility


Published on

Building a Mobile Infrastructure that Promotes Productivity
Learn more:

Published in: Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Cybersecurity in the Age of Mobility

  1. 1. Cybersecurity in the Age of Mobility: Building a Mobile Infrastructure that Promotes ProductivityAn Economist Intelligence Unitresearch program sponsored byBooz Allen Hamilton
  2. 2. List of Interviewees About the SurveyChua Kim Chuan Director, Identity & Security In August 2011, the Economist Intelligence UnitServices, Information Systems Division, MOH conducted a global survey, sponsored byHoldings Pte Ltd., Singapore Booz Allen Hamilton, of 340 executives to assessTom Downey Director of Excise and Licensing attitudes toward cybersecurity in the age ofof the City of Denver, Colorado, USA mobility. About one-half (51 percent) of survey respondents are board members or C-levelKEITH GORDON SVP, Security, Fraud and executives, including 74 CEOs. The respondentsEnrollment Executive at Bank of America for are based in North America (31 percent), Westernonline and mobile channels, USA Europe (29 percent), Asia-Pacific (27 percent),AnDrew McIntyre CEO, Medical-Objects Middle East and Africa (6 percent), Latin AmericaPty Ltd, Australia (5 percent), and Eastern Europe (3 percent).Patty Mechael Executive Director, More than one-half of the survey respondentsmHealth Alliance, USA (55 percent) work for companies with global annual revenues exceeding US$500 million.Mark Olson CISO, Beth Israel and Nineteen different industries are represented inHarvard Medical School, USA the survey sample, including financial servicesNeil Robinson Senior Analyst, RAND Europe (21 percent); healthcare, pharmaceuticals, andRajesh Yohannan Regional Head of biotechnology (13 percent); professional servicese-Business, Citibank Asia (9 percent); transportation, travel, and tourism (9 percent); IT and technology (7 percent); and manufacturing (7 percent).
  3. 3. ContentsExecutive Summary................................................................................................................... 2Introduction................................................................................................................................. 3The Benefits of Mobility........................................................................................................... 5Mobility Hazards and their Remedies................................................................................. 7Loss of Mobile Devices............................................................................................................. 8Vulnerability from Downloads.............................................................................................. 9Sidebar: Financial Services: Pushing the Envelope......................................................10Inefficient Back-up Procedures...........................................................................................11Responding to Mobile Security Challenges...................................................................12Proper Back-up Procedures..................................................................................................13Network Security and Remote Access..............................................................................13Developing Company Policies and Leadership............................................................14Sidebar: Healthcare: Meeting Opportunities as Well as Threats.............................15Conclusion..................................................................................................................................16About Booz Allen.....................................................................................................................17About Economist Intelligence Unit...................................................................................17 Cybersecurity in the Age of Mobility 1
  4. 4. Executive Summary • The as c endanc y of mobil e co mp ut i ng o f f er s co mpa n i e s e n orm o u s opportunities to improve productivity, while presenting them with a series of new security challenges. The ubiquity of mobile devices encourages more people to take care of routine matters via simpler online apps. It also has the potential to make structural enhancements in productivity. But to capitalize on these benefits, companies will have to tackle a host of challenging new security issues. • The rapid rise of mobile devices has led to a corresponding rise in mobile cyber threats. Mobile devices are more likely to be lost through theft, accident, and negligence. The “app store” culture of mobile devices leads to promiscuous downloads of risky software by end-users. Mobile devices are likely to be connected through unsecured and even hostile “Wi-Fi” network access points. And mobile devices are more likely to be treated by the end-user as personal property not subject to the usual security practices of the organization. • The move to cloud computing is complicating the task. The most fundamental organizational response involves setting up frequent and easy-to-use back-up procedures for mobile devices. But organizations have incomplete and inadequate traditions for backing-up and securing data stored in mobile devices. Giving employees “anytime, anywhere” access allows them to be more productive, but that access inevitably weakens the central network’s defenses against intruders. Some organizations respond by setting up finer-grained controls over remote access. • The most fundamental problem with mobile security is a lack of awareness. Companies should make educational efforts on mobile computing a company priority. Cyber-mobility policies need to address personal use, privacy, security of connection, and how to handle missing or stolen devices. • IT departments need to suggest new mobile technologies to other functions to demonstrate that they want progress and can take the lead in implementation. To do so, it is important to construct explicit projects with defined targets, benefits, costs, and budgets. It is also important to set milestones of success and assess the value that security provides. • •2 Cybersecurity in the Age of Mobility
  5. 5. Introduction:The Magnitude ofthe ChallengeMobile devices have taken the world by storm. The Economist Intelligence Unit estimates thatfour billion people use mobile devices of one kind or another. Three billion are using feature phonesto call and text, but one billion are now using smartphones to access the Internet as well. The globalmovement to smartphones is still in its infancy. The devices are likely to experience double-digit salesgrowth for the next 5 years as the world builds out 3G wireless networks and the devices themselvesbecome more powerful.The move to smartphones will have a profound a host of challenging new security issuesqualitative impact on computing. In 2014, more discussed in this report.people will be accessing the Internet through Both opportunity and difficulty lie clearly devices than via desktops, if current According to the global survey of senior executivestrends continue. This will change the nature of the conducted for this report, organizations areglobal workplace. The Internet will be much more already moving with determination to gainpervasive and embedded—the computing power an advantage. Four in 10 executives (42 percent)necessary to perform many work tasks will be say their organizations have revised businessalways on and available almost everywhere. strategies in the past 3 years to reap the benefitsThe ascendancy of mobile computing offers of cyber mobility. The biggest problem caused bycompanies enormous opportunities to improve cyber mobility, according to the same executives,the productivity of a company’s employees. A few is new security threats (cited by 62 percent).companies will continue to restrict their operations Information is becoming a more central andto a traditional workplace. But the vast majority essential organizational asset. Balance-sheetwill have to harness cyber mobility to remain health has less to do with inventories of iron orecompetitive. To do so, they will have to tackle or shipping containers, and more to do with the A Definition In this report, and in the survey conducted for this report, cyber mobility is broadly defined as “the ability to work anywhere (i.e., remotely from the office) through the use of mobile device(s), such as laptops and cell phones, and other devices that are connected to the Internet and are often used to enhance productivity.” Cybersecurity in the Age of Mobility 3
  6. 6. “Balance-sheet health has less to do with inventories of iron ore or shipping containers, and more to do with the knowledge held by experienced employees and digital records about prospective customers. ” knowledge held by experienced employees and This report, written by the Economist Intelligence digital records about prospective customers. Unit and sponsored by Booz Allen Hamilton, Techniques for protecting and managing those explores cyber mobility and its security challenges. intangible assets lag behind our needs, however. It details how—for a motivated and alert Even in the face of compliance laws including organization—security can be not just a problem, Sarbanes-Oxley, HIPAA, and PCI, massive data but also a strength. breaches regularly occur. F igure 1 Rapidly Rising Connectivity 120 Mobile Cellular Subscriptions per 100 Inhabitants, 2000-2010 100 Internet users/per 100 inhabitants 80 60 40 20 0 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 Developed World Developing The developed/developing country classifications are based on the UN M49. See: Source: ITU World Telecommunication/ICT Indicators database4 Cybersecurity in the Age of Mobility
  7. 7. Glossary of Common Mobile Security TerminologyApp: Short for from all hazards to “centralized” or mobile devices, often“application,” which is to data health, “moated” security, distributed via e-mail ortypically downloaded whether intentional which emphasizes app storesfrom an app store or accidental, within safety behind firewalls Phishing: An attemptCloud Security: Security the data center or at a MitMo: Short for “man to get users to clickmoves from “manual” remote location; DLP in the mobile”, which is on a malicious linkprotection of individual generalizes “back-up” a type of malware that typically embedded indevices to the cloud, and “disaster recovery” allows the perpetrator an e-mail or SMSwhere a third-party Endpoint Security: to monitor what theprovider is usually Security Token: The idea that each remote user does onresponsible Typically a small individual device (an the screenDLP: An acronym for physical device endpoint) should beData Loss Prevention, Mobile Malware: Short through which secured, as opposedDLP unifies protection for malicious software users authenticate specifically designed for themselvesThe Benefits of MobilityMobility offers many benefits to businesses The ubiquity of mobile devices provides anotherbut the core opportunity is enhanced staff benefit: It also encourages more people to takeproductivity. Employees who are more connected— care of routine matters immediately, via simpleron the road or at home—are more efficient. In online apps, rather than waiting for somebodya 2011 report from the US Office of Personnel to help them. The US public sector is makingManagement (OPM), 31 out of 33 federal agencies the most of this trend by offering more mobilethat track telework programs said they believed government (m-government) information andthat enhanced productivity was the greatest services to constituents. Tom Downey, Director ofbenefit of mobility. “Look at the tablet technology,” Excise and Licensing of the City of Denver, Colorado,says Mark Olson, CISO at Beth Israel and Harvard emphasizes that migration to online “e-systems”Medical School. “A physician can pull up specific allows more citizens to “self-serve,” freeing trainedresults and tests on the iPad to show at the staff to shift attention to strategic efforts.patient’s bedside.” In addition, he notes, physicianscan review information on the go, even walkingbetween buildings, to enhance their productivity. Cybersecurity in the Age of Mobility 5
  8. 8. “One-quarter of executives say their organization relies on cyber mobility to an overwhelming extent, and another 80 % of executives also say mobile devices will be 49 percent say it is of equal importance more important to their work 3 years from now to productivity as other factors.” compared with today. Cyber mobility can do more than boost productivity Given the potential benefits, organizations are in a quantitative way: It also has the potential to increasingly relying on mobility. One-quarter make structural enhancements in productivity. of executives say their organization relies on Putting an iPad in a doctor’s hands can improve cyber mobility to an overwhelming extent, and face-to-face encounters with patients, but it can another 49 percent say it is of equal importance have more dramatic effects when the physician to productivity as other factors. Eighty percent is away on rounds at a different facility. If new of executives also say mobile devices will be results arrive for a patient, a nurse can update the more important to their work 3 years from now physician, transmit test results, receive instructions compared with today. based on the physician’s assessment of those Mobility also allows companies to: tests, and start a new procedure hours before the physician is scheduled to return. In this situation, • Launch and evaluate projects more quickly little of the doctor’s time is saved, but the impact and with less overhead on patient well-being might be enormous. More • Improve service quality, allowing them to generally, cyber mobility’s greatest potential is sidestep competition based on price not merely in saving costs, but in yielding greater results in revenues, profit, or other output measures. • Improve the length and intensity of customer relationships. Mobility also offers benefits on a more strategic Survey respondents agree about the key benefits level: It allows companies to extend their business of mobility. Flexibility (chosen by 89 percent) and their brand beyond the bounds of the physical and increased productivity (75 percent) are setting of their company. A well-designed mobile overwhelmingly cited as benefits, while a smaller app allows a retail company to sell to customers number also say cost savings (24 percent). These anytime and anywhere—far from its bricks-and- potential benefits have caused more organizations mortar locations. For strategic executives, this is to rely on mobile devices. the ultimate goal: to be able to scale a good brand experience across town or across a continent. Cyber mobility opens the possibility for brand scaling beyond traditional approaches limited by physical presence.6 Cybersecurity in the Age of Mobility
  9. 9. F igure 2 In your view, what are the biggest benefits associated with cyber mobility?Select up to three. Greater work flexibility 89% Increased productivity 75% Decentralization of key business operations 25% Lower cost structure 24% Improved innovation 17% Taking advantage of new market opportunities 12% Greater understanding of important future trends 9% Increased revenue growth 5% Increased profitability 4% Deepened knowledge of consumer trends 4% Other, please specify 3% Don’t know 1%Source: Economist Intelligence Unit survey, August 2011Mobility Hazards and their RemediesCompanies that want to take advantage But hostile actors may be growing faster thanof the widespread promise of mobile devices the mobile sector itself. According to Cisco’swill have to face a number of important security 2010 Annual Security Report, improvement inissues. The rapid rise of mobile devices has led traditional computer security awareness has ledto a corresponding rise in mobile cyber threats. cyber criminals to target mobile users since theIn 2010, security company McAfee reported latter are generally less knowledgeable about thean increase in mobile malware by 46 percent, threats facing them and are, therefore, easier prey.compared with the previous year. Cybersecurity in the Age of Mobility 7
  10. 10. The threats are fueled by a number of issues: • Organizations have incomplete and inadequate • Mobile devices are more likely to be lost traditions for back-up and securing data stored through theft, accident, and negligence; in mobile devices; and • The “app store” culture of mobile devices • Mobile devices are more likely to be treated leads to promiscuous downloads of risky by the end-user as personal property not software by end-users; subject to the usual security practices of the organization. • Mobile devices are particularly apt to be connected through unsecured and even hostile “Wi-Fi” network access points; Loss of Mobile Devices The increased use of mobile devices has made issue. He notes people often put a lot of sensitive loss of the device an important problem. “You information into their phones. They set up e-mail don’t lose your desktop,” says Rajesh Yohannan, accounts, store passwords, and download apps Regional Head of e-Business, Citibank Asia. such as Facebook, which allows them to be signed Yohannan notes that most of the data kept on in at all times. A cyber criminal who came across mobile devices are recoverable because most their device would have instant access to all of the organizations and individuals back up crucial data on the device and on the apps associated assets, and the actual device can be replaced. with it. That would allow them to correlate this He is particularly concerned, however, about information against other data sources and do protecting the data on a lost mobile device from significant damage. “You steal a phone for its cyber criminals. virtual value—the information that is on it, the passwords that are stored there, e-wallet type Keith Gordon, SVP, Security, Fraud and Enrollment programs,” agrees Neil Robinson, Senior Analyst Executive at Bank of America for online and at the RAND Europe think tank. mobile channels, USA, is also concerned about this“A cyber criminal who came across their device would have instant access toall of the data on the device and on the apps associated with it. That wouldallow them to correlate this information against other data sources and dosignificant damage.”8 Cybersecurity in the Age of Mobility
  11. 11. Vulnerability from DownloadsUnsuspecting users often download indicating that they are downloading apps to aunfamiliar apps and information to their mobile great extent and that they also mix business anddevice. “Cyber crooks see it as an opportunity personal use. Yohannan says users must be morebecause awareness is low,” says Yohannan. In the careful of what they download and points out thatsurvey conducted for this report, about one-half of this includes e-mail attachments, which are rarelyall executives confirm that they have downloaded scanned for viruses or app for business use as well as personal use,F igure 3 Which of the following activities have you done on your mobile device(s) in thepast three years? Select all that apply. Checked business email 92% Made a business phone call 90% Browsed the Internet 87% Made a personal phone call 84% Checked personal email 76% Downloaded an app for business use 54% Downloaded an app for personal use 51% Downloaded a security update 51% Other, please specify 6% I don’t have a mobile device 2%Source: Economist Intelligence Unit Survey, August 2011 Cybersecurity in the Age of Mobility 9
  12. 12. Financial Services: Pushing the Envelope Financial services are moving to take advantage of mobile computing 51% platforms in a big way. “The way we communicate with our customers and the way we market our services is changing radically,” says Rajesh Yohannan, Regional Head of e-Business, Citibank Asia. In the 18 months since it started its Asian mobile banking service, Citibank already has 500,000 users signed up. of financial services executives say their Financial services executives queried in the survey conducted for this report organization has revised its business strategy to reap are promoting mobility to a greater extent than their peers in other sectors. the benefits of mobility... For example, 34 percent of them say their industry relies on mobility to enhance productivity compared to 21 percent of executives as a whole. Half (51 percent) of financial services executives also say their organization compared to... has revised its business strategy to reap the benefits of mobility compared to 42 percent of respondents as a whole. 42 % But the financial services industry faces greater risks than others. Individual hackers and organized crime groups are actively seeking to exploit the slightest vulnerabilities. Keith Gordon, SVP, Security, Fraud and Enrollment Executive at Bank of America, who conducts a monthly intelligence review of the top threats to the bank, says endpoint security was his biggest concern in early fall of respondents 2011. That was followed by customer spoofing—such as phishing, application as a whole security, mobile malware, and data loss. To improve security, Bank of America is doing three things: “We have pre-built security into our applications, we don’t store any unnecessary data on the phone, and any data stored is encrypted,” Gordon says. Banks are also keeping a closer tab on the evolution of threats and informing customers about their risks. “We scan forums where cyber criminals hang out to track attacks even before they happen,” confirms Yohannan, who goes on to explain that many perpetrators will discuss upcoming attacks with their peers before executing them. Citibank has a group of people dedicated to this cause, while other groups look to deal with the actual attacks and their aftermath. Educating consumers is another way to improve security. Like many others, Bank of America will proactively alert customers when there is unusual account activity. A more innovative approach taken by the bank is to give their customers one free year of protection from McAfee, a security software company, in the hope that those customers will value the McAfee service and continue to use it beyond the trial period, according to Gordon. • •10 Cybersecurity in the Age of Mobility
  13. 13. App stores pose a different problem. In response to One of the biggest threats in this area has beenthe growing number of attacks via malicious apps, various versions of Zeus MitMo, a malware thatthe European Network and Information Security hides in the background of mobile apps andAgency (ENISA), the agency overseeing Europe’s allows the perpetrators to gather information fromcybersecurity, published a report in September unsuspecting users. “We have seen a big uptick in2011 about the security implications of app stores. malware, such as Zeus for mobile,” says Gordon,It found that today’s malicious apps target a variety whose company tracks the top five threats againstof platforms and can tap into smartphone data, them on a monthly basis (also see sidebar onfrom business e-mails to phone calls. “Consumers page 10).are hardly aware of this,” said the authors of thereport, Dr. Marnix Dekker and Dr. Giles Hogben.Inefficient Back-up ProceduresIn principle, proper back-up procedures make it That change has also lead to shifts in responsibilities.possible to recover data lost on a physical device. In this new environment, back-up proceduresBut typical back-up procedures for mobile devices are typically conducted by the cloud providers.leave a lot to be desired. Data are backed up “Companies of all sizes and individuals are at theincompletely and, often, insufficiently. mercy of providers,” agrees Robinson. Survey respondents also say the third biggest problemIt is also difficult to determine exactly what data caused by cyber mobility in their organization todayneed to be backed up because the nature of is the loss of control over data (cited by 34 percent).“data” has changed. “Everything used to be storedon the device,” says Robinson. “But nowadays Respondents agree with the commonly citedcyber mobility is hard to separate from cloud risks associated with mobility. They are concernedcomputing.” Because of this, mobile security has to that their mobile device will be compromisedbe closely tied to cloud security. Concentrating on as a result of loss (66 percent) and poor back-upendpoint security by backing up individual devices procedures (55 percent). Downloads were fourthis becoming less important than cloud security— on the list of concerns (cited by 51 percent) aftermaking sure the cloud data scattered across the the use of insecure networks (52 percent), anotherworld are secure. growing problem which is associated with using various connections in remote locations. Cybersecurity in the Age of Mobility 11
  14. 14. The survey also revealed users may claim a higher compromised. Yet, 64 percent say efficiency gains degree of awareness regarding security than they outweigh any potential security risks when it comes put into practice. Nine out of 10 say they would to working remotely, and 68 percent say the same alter their usage if they learned that it is likely that about the use of mobile devices. the information on their mobile devices can be Responding to Mobile Security Challenges Organiz ations that wa nt to tak e and renewal. At a tactical level, our survey advantage of the benefits of mobility must shows attention in this area currently is focused find a way to face the security challenges that on back-up procedures, security of remote come with them. Even explicit policies often access, and movement towards interoperability remain incomplete; in any case, part of the nature and standardization. of security is a demand for continuing vigilance F igure 4 Which of the following areas are covered by your organization’s policy regarding the use of mobile device(s)? Select all that apply. Personal use 78% Privacy 71% IT support 69% Use of secure/insecure wireless connections 68% Security software 64% Missing or stolen devices 64% Downloads (apps/games/other) 62% Backup procedures or data loss 58% The guidelines are general and I am not aware of my organization having any specific policies 6% Other, please specify 3% Don’t know 0% Source: Economist Intelligence Unit survey, August 201112 Cybersecurity in the Age of Mobility
  15. 15. Proper Back-up ProceduresThe mos t fundamenta l organizational Some organizations respond by setting up finer-response involves setting up frequent and easy- grained controls over remote access: someoneto-use back-up procedures for mobile devices. But with accounting responsibilities, for example,the move to cloud computing is complicating the might be permitted to prepare reports, but nottask. “This is where everyone struggles and we do to transfer funds remotely. Olson says remoteas well,” Mr. Olson admits. Backing up the data is access to his organization is controlled via a seriesrelatively straightforward. The bigger problem is of security steps, including software installation,securing the data in case the device is lost. a secure sockets layer (SSL) connection, a virtual private network (VPN) and, of course, regularTo deal with the possibilities of lost devices, changes of passwords.Olson tries to limit the amount of data residenton a particular mobile device and encrypts it. In Singapore, Chua Kim Chuan, Director of“We use an approach where data are fetched, Identity & Security Services, Information Systemsviewed, and destroyed, in order not to leave any Division, MOH Holdings, the holding companyinformation resident on the device,” he explains. of Singapore’s public healthcare assets, also usesAll information is stored at a central data center. end-to-end encryption and strong authenticationFrom there, he can recover what was on the procedures. But Mr. Chua Kim Chuan goes onedevice at all times (regardless of whether the step further by requiring that employees carryactual device is recovered or not). Inevitably, small devices that generate numeric “one-time”however, a small amount is still left on the device. passwords. These information tokens add aTo deal with this problem, he adds a remote physical element to the authentication process.wiping capability that allows him to erase data “The trickiest part is to design a process that is easyremotely if the device is lost. while providing security,” says Mr. Chua Kim Chuan. Neil Robinson agrees. “If there are too many steps and passwords, then users will write them down,”Network Security he says. Writing instructions on paper, of course, defeats the whole purpose of a security procedure:and Remote Access If someone finds that piece of paper, the system’s security collapses. To balance convenience and safety, many organizations still require only aAnother big problem involves controlling how user name and password—even for remotemobile devices get remote access to organizational access. However, a number of studies havenetworks. Giving employees “anytime, anywhere” shown that this combination is inadequate inaccess allows them to be more productive, but that most security situations.access inevitably weakens the central network’sdefenses against intruders. A remote connectioncan serve as a pathway that allows a malicious appto access other users on the internal network. Cybersecurity in the Age of Mobility 13
  16. 16. While 71 percent of respondents agree that their of scenarios, respondents are least confident with organization has taken security measures regarding regard to mobile devices: Only 22 percent say they mobility, the quality of policies in this area may be are well prepared in this area, compared with uneven. When asked how prepared their organization 50 percent who say the same about online access is to address security or privacy threats in a variety and 59 percent about the use of desktop computers. F igure 5 How prepared is your organization to address security or privacy threats to the following? The physical office location 100% 59% 37% 3% 1% The use of desktop computers 100% 59% 38% 2% 1% Online access 100% 50% 43% 5% 1% Mobile device(s) 100% 22% 63% 14% 2% Well prepared Somewhat prepared Not at all prepared Don’t know Source: Economist Intelligence Unit Survey, August 2011 Developing Company Policies and Leadership Mobility is increasingly pervasive, and awareness. Yohannan believes the lack of organizations must capitalize on it to remain awareness is pervasive in organizations and competitive in the marketplace. Organizations is not limited to users of mobile devices. must take a number of steps to respond to security Educational initiatives need to start within the challenges that mobility presents: organization. “We educate senior executives about security in terms they can understand,” • Make educational efforts on mobile computing explains Gordon. To educate users about a company priority. The most fundamental phishing, he will show them an actual phishing problem with mobile security is a lack of14 Cybersecurity in the Age of Mobility
  17. 17. Healthcare: Meeting Opportunitiesas Well as ThreatsTh e h e a lt h c a r e i nd u stry h a s gre at h op e s f or m o b i l e co mp u t i ng.It is increasingly using mobility to enhance the productivity and flexibility ofits operations and to meet demands from patients. Electronic health (e-health)initiatives are the most commonly cited benefit on the horizon. These initiativestypically focus on developing electronic medical records (EMRs), which allowemployees to evaluate results remotely and communicate information quickly.Telemedicine (tele-health) allows doctors to see their patients virtually and consultthem at a distance.“From a security perspective, we have to look at all of this and see how we canenable it,” says Mr Olson about the future of digital healthcare. The industry is ata particular risk from mobility given the sensitive data it handles in the form ofpatient records. “We are mostly targeted for the information we hold about peopleand identity theft is our biggest threat,” observes Mr Olson. The primary suspects,therefore, are organized crime groups, rather than nation-states or thrill-seekinghackers. Their goal is to get a name and an address they can validate with anothersource. “The more data they can correlate, the more value it has on the blackmarket,” he explains.To deal with the threat, health organizations are creating a variety of securitypolicies. Survey results lend support to the idea that healthcare is a leader in policydevelopment. 84% of healthcare respondents say they have a policy regarding theuse of mobile devices compared to 77% in other industries. According to surveyresponses, the policies adopted by healthcare organizations also cover importantaspects of security to a greater extent, such as privacy (89% vs 71%) and missing orstolen devices (78% vs 64%).The most pressing problem now, according to Andrew McIntyre, CEO of Medical-Objects Pty based in Australia, is not the lack of policy, but its implementationon the end-user side, as users of technology tend to trust vendors. Even in caseswhere suppliers clearly understand security matters, they feel little incentive toeducate end-users focused on features and functionality outside the securitydomain. In addition to traditional logins and passwords, Dr McIntyre is promotingenhanced interoperability and better client-side security procedures, such as useof security tokens. “We can encrypt the transfer of data but we are stuck with apassword to access it,” he says about the challenge to improve standards in theindustry. “While the technology exists for client side tokens, virtually nobody uses it.”One way in which to overcome such challenges, according to Mr Olson, is for thesecurity team to push new products to the healthcare professionals, instruct themin their benefits, and demonstrate their use. “By doing that we are out in front of thepartnership and we can control expectations and parameters of use,” he suggests. • • Cybersecurity in the Age of Mobility 15
  18. 18. e-mail used by hackers. “Our dashboard has • Encourage IT departments to lead by example. both the simple terminology as well as the IT departments are often seen by other technical one, but in the future I hope it will functions as an obstacle to greater mobility only have one,” he says about his initiatives to because they insist on various security policies. educate management. This can encourage IT departments to resist • Create comprehensive mobile security the latest technologies before proper security procedures. If there are no mandated security is in place or to establish too many passwords standards, or if interoperability is an issue to access a system. “Security teams should be in secure communication, companies need enabling teams rather than disabling teams,” to set the standard internally. “There is no stresses Olson. IT departments need to suggest substitute for strong policies,” says Olson, who new mobile technologies to other functions is constantly looking to enhance security in his to demonstrate that they want progress and organization. It is also important to make sure can take the lead in implementation. To do strong policies and standards are executed well this, it is crucial to construct explicit projects and enforced properly. At the very least, cyber with defined targets, benefits, alternatives, mobility policies need to address personal use, costs, and budgets. It is also important to set privacy, security of connection, and how to milestones of success to manage project risk, handle missing or stolen devices. and develop technical capabilities to assess the value that security provides. Conclusion The s takes asso ciated w it h fa i l i ng to e s ta b l i s h pro per m o b i l e s ec ur it y a r e h ig h. The costs associated with loss of a single customer record can be greater than a multiple of the lifetime revenues expected of that customer. Companies also need to construct written goals with objective criteria and track successes and failures associated with mobile security. They need to demonstrate to employees and customers that the organization is committed to mobile security. They need to keep stakeholders informed about the company’s experience with mobile security issues, and monitor the impact of these efforts. Security itself is often conceived in negative terms: data not leaked, lawsuits avoided, and authentication nuisances reduced. Once companies do these steps well, they will find that security becomes a positive value—customers and employees will become more comfortable and confident doing business with an organization known for its security leadership. • •16 Cybersecurity in the Age of Mobility
  19. 19. About Booz Allen HamiltonBooz Allen H amilton i s a l e adi n g prov id e r of management andtechnology consulting services to the US government in defense, intelligence,and civil markets, and to major corporations, institutions, and not-for-profitorganizations. Booz Allen is headquartered in McLean, Virginia, employs morethan 25,000 people, and had revenue of $5.59 billion for the 12 months endedMarch 31, 2011.Booz Allen understands that cybersecurity is no longer just about protectingassets. It’s about enabling organizations to take full advantage of the vastopportunities that the ecosystem of cyberspace now offers for business,government, and virtually every aspect of our society.Those opportunities can be imperiled, however, by rapidly emerging cyberthreats from hackers (hacktivists), organized crime, nation states, andterrorists. We help our clients in both business and government understandthe full spectrum of threats and system vulnerabilities, and address themeffectively and efficiently.Booz Allen believes the key to cybersecurity today is integration—creatinga framework that “thinks bigger” than technology to encompass policy,operations, people, and management. Through this Mission IntegrationFramework, organizations can align these essential areas to address the realissues, and develop cyber strategies and solutions that keep pace with a fast-changing world.To learn more, visit (NYSE: BAH) About the Economist Intelligence Unit The Economist In t e l l ige n c e U n it i s pa rt o f t h e Eco n o m i st G r o up, the leading source of analysis on international business and world affairs. Founded in 1946 as an in-house research unit for The Economist newspaper, we deliver business intelligence, forecasting and advice to over 1.5m decision-makers from the world’s leading companies, financial institutions, governments and universities. Our analysts are known for the rigour, accuracy and consistency of their analysis and forecasts, and their commitment to objectivity, clarity and timeliness. Cybersecurity in the Age of Mobility 17
  20. 20. An Economist Intelligence Unit research program sponsored by Booz Allen Hamilton©2011 Booz Allen Hamilton Inc.