If mobile security isn't on your mind, you are not reading enough news, you are a Blackberry device user, you are a "It won't happen to me" type, or you are a phisherman, scammer or malware proliferator. Mobile security is at or near the top of everyone's security lists. As it should be. Mobile security is muddied by a lot of vendor hype and marketing confusion. What do you believe and whom should you believe about mobile security? The answer, I'm afraid, is "it's complicated." It must be more complicated than I ever anticipated because I've been told that the $429,000 number "isn't compelling."
Symantec's State of Mobile Computing Survey (Jan 2012) found the following loss information related to mobile computing security incidents:
"The average annual cost of mobile incidents for enterprises, including data loss, damage to the brand, productivity loss, and loss of customer trust was USD$429,000 for enterprise. The average annual cost of mobile incidents for small businesses was USD$126,000."
If those numbers don't readily compel you, then maybe this additonal fact will: Those amounts result in diminished profits and, as the survey says, "damage to the brand." How can you put an exact value on brand damage?
Symantec makes the following statement in its Recommendations section of the report:
"Organizations that choose to embrace mobility, without compromising on security, are most likely to improve business processes and achieve productivity gains. To this end, organizations should consider developing a mobile strategy that defines the organization’s mobile culture and aligns with their security risk tolerance."
Remember when I wrote that mobile security is at or near the top of everyone's security lists? Here's further proof of that sweeping generalization that I'm so famous for:
"Mobile adoption is not without risks, and IT organizations recognize this challenge. Approximately three out of four organizations indicate maintaining a high level of security is a top business objective for mobility and 41 percent identified mobile devices as one of the top three IT risks, making it the leading risk cited by IT."
Sure, companies probably have insurance against these kinds of losses, but the payments are very high too. But do insurance companies pay off if the investigation finds that the company was negligent in security training for its employees, for providing insufficient security for mobile devices, or for not protecting its employees in BYOD scenarios?
Thus far, I haven't been able to locate an insurance expert capable of answering that question. I'm still looking* and will report to you when I find one.
With mobile security at the top of the security risk list and losses due to security incidents nipping at the half million dollar mark, can I mark you down as "compelled" by these facts?
Maybe you're one of the people who is confused by what you read concerning mobile security. Maybe you're one of those I wrote about in the introduction who is confused by vendor hype and marketing fluff. You don't know which way to turn for honest answers about mobile security. I know it's confusing. I know there's a lot of FUD surrounding security in general and mobile security specifically. But you don't have to be confused.
Symantec offers some general strategies for those who have jumped into a more mobile workforce. But here, at no charge, I'm offering some specific, detailed suggestions to enhance your mobile security.
- Implement a multi-pronged approach to security. Firewalls, mobile device management software (MDM), endpoint security, and monitoring will prevent a majority of security risks.
- Educate your employees. Informed employees who are aware of security issues are safer employees who aren't likely to cause security incidents that cost you a lot of money.
- Enlist security training for IT staff. You'd be surprised by the number of IT professionals who don't have a clue about security threats to your network. Statistics coming soon to illustrate this.
- Hire a third party security consultant. More than 90 percent of security breaches are found by third party security consultants.
- Draft a mobile security policy. Whether you issue mobile devices to your employees or allow them to bring their own devices, you need a written policy. It's part of your due diligence in reducing risk.
Security is an "off the top" expense. Budget for it. And just to be safe, have a contingency plan in case of a security breach. It's the equivalent of an emergency response plan in case of a natural disaster. Have your security consultant draft this plan and run through drills for it. It's just as important as those annoying fire drills and backup/restore checks that you perform on a regular basis. You do have those, don't you?
The average annual cost for mobile security incidents in enterprises is USD$429,000 and USD$126,000 for SMBs. Can you really afford not to be compelled by those numbers? The CXOs in your company should be, if you're not.
If you're not compelled by the numbers, I'd like to know why. Please use the Talk Back section for comments pertaining to what is and is not compelling about the costs associated with mobile security incidents.
*If anyone knows of an insurance expert who can speak to these questions, I'd like to interview him or her for a follow-up post.