Thursday, November 30, 2006

Red Flags: Mobile Data Encryption Policy...

Have any of your executives been waving any "Red Flags" lately? If you are like many CISO's across the globe, you may have to change this to a "White Flag" and surrender.

IDC reports in a recent study, that the projected number of global mobile employees would grow beyond 878 million by 2009. IDC’s report, "Comply on the Fly: Keeping Pace with the Management Challenges of Mobile Data Management," explores whether businesses are implementing initiatives to provide internal controls and address data security risks from mobile device use.

A Recent IDC Report cited at the Business Performance Management (BPM) Forum reminds the CxO's to batten down the hatches on mobile devices. Blackberry is only one of a few companies (RIM) who are being subjected to greater pressure to provide encrypted data at the device level.

The IDC report contained the following information:

* Nearly half of all respondents report that a minimum of 25 percent of all mobile devices in their organization carry mission-critical applications and information.

* Forty percent of respondents have no measures at all to manage mobile data tracking, backup and archiving for regulatory compliance purposes.

* Smaller companies ($100 million in revenue and under) face a greater risk of violations, with just 32.4 percent implementing formal mobile compliance policies.

* There is disconnect between IT executives who recognize mobile device compliance and security risks, and C-level executives who see benefits, not risks.


Yet it seems that employee's will not obey or even heed the policies set forth by their enterprise to try and protect customer information and valuable intellectual property. Thousands of laptops and other PDA's are left in taxi cabs as "On The Go" executives run for their meetings, interviews or flights.

In this digital age, the value of information on these stolen or lost devices is increasing and the losses to the enterprise far exceed the replacement of the phone, PDA or laptop. The loss extends to the notification of the customers who have exposed Personal Indentifiable Information. Studies by the Ponemon Institute have calculated this amount to be $182.00 per record.

According to the study’s 2006 findings, data breaches cost companies an average of $182 per compromised record, a 31 percent increase over 2005. The Ponemon Institute analyzed 31 different incidents for the study. Total costs for each ranged from less than $1 million to more than $22 million.

The 2006 Cost of a Data Breach Study tracks a wide range of cost factors, including legal, investigative, and administrative expenses, as well as stock performance, customer defections, opportunity loss, reputation management, and costs associated with customer support such as information hotlines and credit monitoring subscriptions. "The burden companies must bear as a result of a data breach are significant, making a strong case for more strategic investments in preventative measures such as encryption and data loss prevention," said Dr. Larry Ponemon, chairman and founder of The Ponemon Institute. "Tough laws and intense public scrutiny mean the consequences of poor security are steep—and growing steeper for companies entrusted with managing stores of consumer data."


The CxO on the go now realizes the importance of encryption for all mobile devices. Unfortunately for those few who still have not reallocated the funding to accomplish this important task, may cost millions more.

In yet another instance of laptop theft potentially endangering personal data, Kaiser Permanente Colorado is notifying some 38,000 members of a possible breach of their private health information.

The information was located on a laptop stolen from the personal car of a national Kaiser Permanente employee in California, reports the Rocky Mountain News and other media outlets.


Let's see: 38,000 x $182.00 = $6,916,000.00 in operational losses.

No comments: