value insights

The best mobile security plans examine risks first, then prescribe- Valutrics

Best mobile security assesses risk likelihood/impact

For mobile devices, what are the risks? Are we storing confidential or critical data on the devices? If so, what data? If someone could get that data, what could they do to damage me or the organization? What type of information does our email contain? Would those photos of business process flows damage the organization if someone captured them? What could someone do if they had access to my mobile expense reporting app?

When it comes to assessing risks, I like to first identify the specific risks and then, for each risk, define the likelihood and impact of the risk. I then figure out the best, most pragmatic way to mitigate the risks with the highest likelihood-impact combination.

For example, what employee or client personally-identifiable-information (PII) data can someone store on their mobile phone? If someone can store a lot, there is a likelihood that we can lose the data and, depending on the depth and breadth of the PII, the impact could be significant. In this case, the best mobile security plan would have strong PII risk mitigation in place — and that mitigation might require that we put certain controls in place. But at least, by delineating the likelihood-impact combination, we can articulate the risks and mitigating controls.

If, on the other hand, no one can receive or store critical PII on their phones, the likelihood-impact combination is smaller and we might not need to control the lives of our users. This approach aligns our security countermeasures to our users’ need for individual control. And, if you are subject to information security audits, this is an approach that you can explain to any auditor (although, based on my personal experience, some auditors are not familiar with assessing risks before defining risk mitigation).

There are risks with not doing enough to secure mobile devices, but there are also risks with doing too much. Taking a risk-based approach has always helped me find the right balance.