Managing Mobile Security Risks with CIA Security Scenarios

Posted on November 11, 2014

According to a February 2013 report from Zogby Analytics, nearly 80 percent of American investors say they aren't likely to invest in companies that have suffered multiple cyber attacks. It's no wonder, since analysts at the Ponemon Institute estimate that data breaches cost large enterprises an average of $5.4 million per breach and can erode brand value by hundreds of millions of dollars.

It's also no surprise that as data breaches damage business performance and company valuations, data security concerns moved out of the IT department and into the boardroom. Has your CEO been challenged to explain what your company is doing to ensure that revenue and shareholder value are being protected" If it hasn't happened yet, it's probably just a matter of time, says Breezy CEO Jared Hansen, who founded the secure mobile printing leader after an unsuccessful search for a secure mobile printing solution for his law firm.

"Back in 2011, the Ponemon Institute reported that nearly 40% of organizations had data breaches resulting from lost or stolen mobile devices, including tablet computers, smartphones and USB drives that contained confidential or sensitive data," Hansen says. "But trying to lock down the enterprise by banning personally owned mobile devices just doesn't work. And neither does trying to limit employee choice to a single brand."

So what does work to manage the risk of data loss posed by mobile devices" Hansen says that what works is a comprehensive approach to mobile security that starts with an understanding of the real business requirements for security. "One size definitely does not fit all when it comes to protecting company data," he says.

"Every company has a different risk profile, but there are some common elements companies can consider when deciding on the company's priorities," he says.

CIA Threat Scenarios

When a hacker or cyber criminal attacks your business or a lost mobile device allows your information to be leaked to the public by a blogger or reporter, or a competitor gets access to the data ? you're facing a CIA Threat Scenario. That's an industry term that has nothing to do with a government agency in this case, CIA means: Confidentiality, Integrity, or Availability.

Your business is affected in different ways by each type of loss in a data breach. Consider these CIA risks from a phishing email, where a thief could:

In traditional risk modeling, companies set a value on an asset based on a simple measurement like the cost of a device. But when it comes to mobile devices, a $200 smartphone may have access to millions of dollars worth of company data. "You have to consider the value of the data, the business processes that can be affected, the loss of future revenues, and other factors," Hansen says.

"This is why on-device encryption is so important for mobile devices," he adds. "Breezy was built around the idea that every file is encrypted on the device, so that a man-in-the-middle attack can't compromise security. We think it's the best approach."

Take a Risk-Based Approach to Mobile Security

With a risk-based approach, Hansen says companies should start with a set of practical business and security requirements. "Your requirements will point the way to the policies and technologies that will minimize your risk as much as possible without affecting your employee's ability to get their work done."

What's important, he adds, is to avoid buying a mobile security technology based on its feature set, and then figuring out how to integrate it into the business process. "We've seen that in some of the companies we've worked with," Hansen says. "And it's backwards. The implementation, deployment, and adoption of any new security solution will work much better when you start with a clear understanding of how your employees use mobile devices, what kinds of threats your business faces, and use that information to define your security needs."

A good place to start in developing your security requirements is a document from The SANS Institute that outlines The Twenty Critical Security Controls. Originally developed for a PC-oriented environment, the SANS security controls apply very well to mobile device management, Hansen says.

Once you've identified the risks and established your priorities for managing those risks, it's time to look at the specific ways in which your workforce is using mobile technology. "It's a step that is easy to overlook, but it's crucial to the overall process of managing your risk," he says.

Secure mobile printing is an area where companies often badly underestimate their employee's needs. "If you don't understand how employees want to use mobile devices and apps, you're likely to leave a security whole that criminals can exploit. Secure mobile printing is exactly that kind of area. Management may view it as a "nice to have" feature while employees often view it as critical to getting the job done."

Companies who overlook these five employee priorities for mobile security are likely to wind up with employees who violate security policy and put company data at risk, Hansen warns.

"IT managers are sure to understand the need to secure the first item on that list " enterprise applications " but may discount the importance of the other four," Hansen says. "If you do that, employees are likely to create their own work-arounds, such as using an unsecured Cloud storage system like iCloud, Google Drive, or Dropbox, to transfer company documents to another system where they can print or store information outside of the company's security network."

It isn't that employees want to violate company policy, and they certainly don't want to put data at risk, he says. "They just want to get their job done, and study after study has shown that if their view of "getting the job done" means violating policy, even the best employees will do so in a heartbeat," he adds.

That's one reason that Hansen is a big believer in locking down data, not user choices or vendors. "In the American workplace, where most employees bring their own mobile devices to work " devices they bought and paid for, with monthly data and calling plans they pay for " it's the right approach to IT security."

For more information on secure mobile printing, watch this video from Breezy, download The Definitive Guide to Mobile Printing, a free ebook, or click here to schedule a demo now.

Easy to deploy and manage

Customers report that Breezy installations are among the easiest they’ve ever seen for an enterprise product.