It's not our job to tell business not to use mobile devices, even personally-owned mobile devices. It's our job to enable business to use mobile devices securely for the benefit of the organization, customers, employees, and contractors.
In this presentation, given on April 30 at techpulse 2013, Evan Francen from FRSecure teaches how to secure mobile devices in today's business environments.
2. FRSECURE.COM
What’s on the Menu?
1. Who are these guys?
2. Should you allow personal mobile devices?
3. An example of why stealing is bad.
4. John hacks a laptop…seriously…here…in real time.
5. Encryption.
6. A helpful security thought process.
3. FRSECURE.COM
Who Are These Guys?
• Plain-spoken experts.
• Information security consulting is all we do.
• Established in 2008 by people who have earned their
stripes in the field.
• Work with small to medium sized organizations in all
industries everywhere.
“We get paid to tell people the truth”
4. FRSECURE.COM
Who Is This Guy?
Evan Francen: CISSP, CISM
• President & co-founder of FRSecure
• Information security expert:
• 20 years of experience
• 700+ published articles
• 150+ public & private organizations served
5. FRSECURE.COM
Should Personal Mobile Devices Be Allowed?
We think so…
1. Cost efficiency
2. Employee satisfaction
3. Increased productivity
4. It’s happening anyway
But, there are risks you need to consider…
6. FRSECURE.COM
Pop Quiz?
Lost and/or stolen mobile devices such
as phones, laptops, thumb drives and
tablets accounted for how many
sensitive records compromised in
2012* in the U.S.?
*According to Privacy Rights Clearing House
8. FRSECURE.COM
Breach Example
A laptop is stolen from an employee of Accretive Health (Fairview
Health Services Collections Vendor).
• The laptop was inside a locked car in a Minneapolis
restaurant parking lot.
• The laptop was NOT encrypted (and therefore not
protected by Safe Harbor Rule).
• The laptop contained 14,000 private records of Fairview
patients.
- Social Security Numbers
- Diagnoses
- Names, Addresses, DOB’s
9. FRSECURE.COM
Breach Fallout
1. Fairview sent a letter to the 14,000 patients telling them their
information was stolen.
2. Accretive was sued by the State of Minnesota, settled the case
for $2.5 million and were “banned” for 6 years.
3. Fairview CEO retires when company doesn’t renew his contract
after the incident.
4. Fairview was in the news for about a year for this and other
negative incidents regarding the care of patient information.
5. 14,000 people (that we know of) are victims.
12. FRSECURE.COM
Encryption is Not an Easy Button
There’s also….
• Policy & Governance
• Mobile Device Management
• Training & Awareness
• Alignment with the Big Picture
13. FRSECURE.COM
Policy & Governance
• Information Security Policy
• Encryption Policy
• Mobile Device Policy
• Bring Your Own Device (“BYOD”) Policy
• Standards, Guidelines & Procedures (exceptions)
14. FRSECURE.COM
Mobile Device Management
Numerous technological solutions on the market today to
assist in enforcing what we say in policy.
• If we can’t enforce what we stated in policy, how
effective is our policy?
• Regulators will require evidence of compliance with
our policies.
• People are people, sometimes we need to protect
them from themselves.
15. FRSECURE.COM
Training & Awareness
It’s hard to over-invest in training & awareness.
Do your people know what to do if:
• They lose their mobile device
• Their mobile device is stolen
• If their mobile device is infected (or suspected to
be infected)
All of these things should feed into a process for incident
response…
How is your incident response?
16. FRSECURE.COM
Consider a Business-like Approach to
Security Decisions
1. Find the starting point.
2. Have a way to measure progress.
3. Apply a risk-based thought process.
4. Expect continuous evolution.
5. Consider other business factors.
6. Make informed, aligned decisions.