Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
ISACA smart security for smart devices
1. Smart Security
for
Smart Mobile Devices
Marc Vael
International Vice-President
2. Smart Mobile Device Definition
An electronic device that is
• cordless (unless while being charged),
• mobile (easily transportable),
• always connected (via WiFi, 3G, 4G etc.)
• capable of voice/video communication,
internet browsing, "geo-location"
(for search purposes)
and that can operate to some extent
autonomously.
3.
4.
5.
6. Smart Mobile Device Business Benefits
1. Increased workforce productivity—facilitates completion of work offsite (+40%).
2. Improved customer service—sales person or account manager can access the
CRM system while at a customer site + provide ad hoc solutions & current
customer account information.
3. Response to customer problems or questions at any time—35% improvement in
customer satisfaction in best-in-business enterprises.
4. Improved turnaround times for problem resolution—more flexibility facing the
challenges of time zones or office hours.
5. Increased business process efficiency—shortened & more efficient business
processes. SCM+ by providing employees with information to speed the capture
of inbound supply chain data + shortening feedback loop between supply chain
and production planning.
6. Employee security & safety—one of the first reasons for mobile device adoption:
allow employees to travel to/from remote locations while staying in touch.
7. Employee retention—management creates positives for business & employees.
Using mobile devices can improve work-life balance by facilitating the ability of
employees to work remotely: increase employee retention by up to 25%
17. Mobile Device Security Issues
• Threats differ by industry (e.g. intelligence/security/ police
forces, fuel and energy, health and disease control,
transportation, media, financial, food, retail, etc.); thus
countermeasures must appropriately match the threat.
• Cost-benefit case for mobile devices depends solely on the
value of corporate data at risk. Thus, critical data must be
inventoried + appropriate security solutions implemented.
• Businesses can not manage what they can not identify, track or
measure. Critical information is not always inventoried and
proactively secured.
• Some companies outsource network security. When the third
party employees leave, what customer data leave with them?
Business data are available to providers with different business
goals and objectives.
18. Mobile Device Security Issues
• Network security issues include:
‣ Conventional firewall and VPN security systems are inadequate.
‣ Lack of integration with evolving WAN network security solutions.
‣ A blurred network perimeter can cause the boundary between the
“private and locally managed and owned” side of a network and the
“public and usually provider-managed” side of a network to be less
clear.
‣ If communication can be intercepted, piggybacked, impersonated or
rerouted to “bad” people, “good” people can look “bad” and “bad”
people can look “good” from any location.
‣ Encrypted remote connections are assumed to be secure. Little
consideration is given to securing the end point. E-mail and other
communications are encrypted only from phone to phone, or mobile
device to server. Beyond that point, e-mail, instant messages and file
transfers may be transmitted unencrypted over the Internet.
‣ Ad hoc service provisioning: requesting and receiving application
service on demand wherever one is located.
31. Smart device security metrics
Most common security metrics used in evaluating the adequacy of
mobile device security include:
• Number of breaches or successful attacks
• Virus protection and frequency of virus definition updates
• Currency of patch management on the servers
• Compliance with federal regulations
• Cost of security solutions
• Cost of loss
• Evaluation of risk
Are these metrics sufficient? Do you factor total cost of ownership? How
do you measure the benefit & value of mobile devices and the security
solutions?
So, how can CISOs explain the value of incorporating adequate
security?
36. Conclusion
Business executives rarely know where to start. While mobile
technology is burgeoning with new innovations, time-tested
mitigation techniques and evolving tool sets are available and
highly effective. Organizations need to:
• Recognize mobile technology risks + commit resources to take
decisive actions to control their vulnerabilities
• Inventory high-value data & most serious exposures
• Evaluate which countermeasures directly & cost-effectively reduce
their highest risks
• Implement reasonable strategy that phases in improvements in
information security commensurate with risk & resources
• Commit ongoing resources to revise & refine over time as
circumstances evolve
For business leaders who fail to implement sufficient safeguards, the
costs can be catastrophic. With the integration of an increasingly
networked world, their problems become everyone’s.
40. “I don’t care how many millions
of dollars you spend on
security technology.
If you don’t have people trained
properly, I’m going to get in
if I want to get in.”
Susie Thunder,
Cyberpunk
41. Contact information
Marc Vael
CISA, CISM, CISSP, CRISC, CGEIT, ITIL Service Manager
International Vice-President
ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows
IL 60008 USA
http://www.isaca.org/
marc@vael.net
http://www.linkedin.com/in/marcvael
http://twitter.com/marcvael