Motorola is credited with creating the first handheld mobile phone. A quick look around in any public place, however, is confirmation that Motorola is now only one of many players in the mobile phone market. Touted as a way for employees to be more productive, cellphones and other mobile devices such as notebooks, netbooks, ultrabooks or tablets are relied upon to provide employees with access to company resources regardless of the employee’s location and the time of day.
Mobile device use is viewed by some as a clear indicator that employees can be (and are) more productive. Others view mobile devices as distractions. After all, no one has ever been in a meeting where a colleague has ‘checked out’ of the discussion to respond to emails on a cellphone, right?
Whether the use of mobile devices directly increases productivity or not may be an ongoing question, but the increased risk associated with the use of mobile devices is not up for debate. Remember the proverbial lost laptop? The physical loss of a mobile device is not the only way that a company’s data can be compromised. As employees access their employers’ data anywhere and everywhere, bad actors are also trying to access that data. In addition to data compromised through physical loss of a mobile device, data can be compromised through unsecured network connections or malware, as examples.
By no means are mobile devices declining in popularity. So, it is reasonable to assume that mobile devices and the risks associated with their usage will remain part of most organizations’ risk universes. Given that, IT auditors have an opportunity to partner with their organizations to assess the state of mobile computing. Areas that are beneficial to address in mobile computing audits are:
- Governance: policies and practices that address scope, responsibilities, and procedures around protection of data accessed by, transmitted by, and stored on mobile devices;
- Remote access: practices ensuring that all users are uniquely identified when accessing company resources;
- Data loss: security measures are adequate to address risks associated with removable media; disclosure, copying, or modification of enterprise data; and misalignment of position responsibilities and sensitive information;
- Malware: protections are in place to prevent operational disruptions from malware introduced into the enterprise through mobile computing;
- Incident response: incident response protocols exist for mobile device users from detection and reporting through recovery.
As employers continue to explore ways to increase employees’ productivity, it seems safe to say that data access through mobile devices will continue to play a role in meeting that objective. Given data privacy expectations (existing and emerging) as well as customer considerations, safeguarding data will remain a challenge for most organizations. This challenge can be mitigated by a collaborative partnership between IT auditors and management that is founded on a solid mobile computing audit program. The results of an audit can be used to gauge the effectiveness of the enterprise’s safeguards of data on mobile devices.
Editor’s note: For more guidance on this topic, download ISACA’s mobile computing security audit and assurance program.
Robin Lyons, Technical Research Manager, ISACA