Jason Smith 2015-04-25 06:09:12
Avoiding the risks of the mobile ecosystem. So you think you’re not in the online business? Think again. Whether it’s directly offering products and services over the Internet, encouraging your employees to telecommute, or just communicating on mobile devices, today, every company—large or small— conducts business online. While the security around online-based businesses and telecommuting is quite mature, the mobile ecosystem remains a virtual Wild West. Mobile devices can be defined as cellphones, tablet computers, portable hard drives, USB flash drives, laptops, and more. The obvious benefits of flexibility and accessibility have driven the growth in use of such devices in corporate America. For instance, an 8GB flash drive that is smaller than a business card can hold the equivalent of 640,000 boxes of paper. A hard drive that is a little larger than a cellphone can store more than 40 million boxes of paper. Unfortunately, these conveniences also provide opportunities for loss of important data on a much larger scale than does simply misplacing a confidential file folder. Hackers targeting your corporate systems. From 2010 to 2013, the number of corporate data breaches more than tripled from almost 600 occurrences to more than 2,100.1 The number of records affected by those breaches skyrocketed from 18.6 million to more than 800 million. Hacking accounted for almost 60 percent of incidents and more than 70 percent of leaked records. At an average cost of $204 per record, the estimated total hard cost of just the breaches that were reported was more than $163 billion. It was tough enough to defend these attacks in a central location, but with the growth of the mobile ecosystem, the company walls are dissolving into a borderless virtual world. There are laws governing the level of security a company must implement as well as actions that must be taken in the event of a data breach. A comprehensive data security policy must include every electronic system, including mobile devices, to be effective, and executives must understand that the laws require certain data breaches to be thrust into the public spotlight. But your data security is only as good as your weakest link. Hackers targeting law firms. As early as Nov. 1, 2009, the FBI has warned2 law firms that they are being singled out by hackers. While lawyers are additionally governed by ethical rules, you should certainly consider extending your technology and privacy policies to your guidelines for outside counsel. In fact, many of the largest U.S. financial institutions are now mandating that the law firms representing them assume stronger cybersecurity measures, from complete background checks on lawyers who handle personally identifiable information and onsite audits that determine the level of access to information and other more stringent compliance procedures. The American Bar Association is getting involved as well. In May 2014, it passed Resolution 109,3 advising attorneys to implement a cybersecurity plan to protect client data. Your employees and the destruction of company files. Not all threats to your corporate information are inbound. The strongest firewalls and toughest encryption techniques are no match for loss of sensitive corporate data by an employee. The use of portable mass storage devices has given employees the flexibility to take the entire office filing cabinet with them while traveling. And like your house keys, these portable mass storage devices can be easily lost or dam aged, taking with them mountains of critical corporate data. Sometimes destruction of the information can do as much damage to a company as disclosure or theft. Many companies already have backup routines built into their information technology policies, but the growth of the mobile ecosystem, and the expanding space required to house data that’s so easily created, is impacting the timing and method for these backups. Policies dubbed “bring your own device” are gaining traction to balance the ease of allowing employees to connect personal mobile devices to corporate systems with the IT policies that govern company-owned devices. But these strategies may still be vulnerable if that mobile device becomes entangled in a lawsuit or investigation. In one of the most cited cases on the subject, the 9th U.S. Circuit Court of Appeals held that the Fourth Amendment to the U.S. Constitution does not require government agents to have reasonable suspicion before searching laptops or other digital devices at the border, including at international airports.4 It has also been reported that U.S. Department of Homeland Security policies now allow federal agents to “take a traveler’s laptop computer or other electronic device to an off-site location for an unspecified period of time without any suspicion of wrongdoing.” Further, “officials may share copies of the laptop’s contents with other agencies and private entities for language translation, data decryption, or other reasons.” As more cases like these arise, the balance between flexibility and protection will shift toward company IT policies becoming more conservative to hedge against the many unforeseen opportunities for destruction or disclosure of sensitive information. Lack of visibility. Not all risks lie in the disclosure or destruction of the data. With the proliferation of mobile devices, the field of view becomes much broader for leadership. How can general counsel and others in the executive suite who are required to sign certifications on internal financial controls be completely certain of their certification if executed contracts are scattered across smartphones and tablets of global sales staff? How can they be aware of the risks and obligations facing the company if critical proposals are stored on flash drives under an employee’s car seat? Implementing a strategic information life cycle management program, including systems that focus on workflow and storage of business information, will help narrow the field of vision for executives looking to maintain visibility into the affairs of the corporation. Companies have to embrace the mobile ecosystem while recognizing that the threats are growing as fast, if not faster, than technology itself. Executives must maintain vigilance while keeping pace with the brave new world. The companies that succeed won’t necessarily be the ones that outpaced their competitors in the marketplace, but could be those that outpaced the threats in the mobile ecosystem.
Published by State Bar of Texas. View All Articles.
This page can be found at http://mydigimag.rrd.com/article/Every+Company+is+an+Internet+Company/1990736/256355/article.html.