Many companies are increasingly spending time (and money) on assuring compliance with government regulations (e.g., Sarbanes-Oxley, HIPPA). Indeed, a growing number of companies provide SW and services to assure corporate compliance and thus keep enterprises out of the government regulator “cross hairs” (and avoid potentially massive fines, or worse). Yet many companies are failing to address a very important emerging field of exposure.
The massive growth of mobile/wireless smart devices (e.g., smart phones, handhelds, and even iPods) has critical implications for compliance/policy enforcement in the enterprise. Users now have the ability to collaborate with other employees, personal friends and acquaintances and business partners from virtually anywhere and over multiple channels (e.g., email, IM, SMS, file transfer, podcasting, VoIP, etc.). In fact, we expect that within the next 12-18 months, several companies will have a major compliance and/or security breach arise because of the prevalent use of mobile devices in a largely uncontrolled manner.
Smart devices are now capable of storing multiple gigabytes of data in virtually any form factor (e.g., text, video, images, voice), vastly expanding the amount of data users can take with them, and by implication, dramatically increasing the severity of any information security breach (e.g., customer databases, medical records, company proprietary documents). Additionally, the majority of portable devices have less than stellar security models (with the exception of the RIM Blackberry), enabling any person finding (or stealing) a device unfettered access to the contents of the device. Despite its high level security model, RIM doesn’t offer any significant compliance tools for the very popular BES servers, despite Blackberry devices being mission critical to a large and growing number of enterprises. Although many companies now monitor and control sever based collaboration, (i.e., email), few companies are able to manage for compliance the various forms of communications inherent in the wireless device world, nor control the transfer of files of various types (i.e., data files, text files, images).
There are a number of companies who provide smart device management (e.g., iAnywhere, Intellisync) or smart device security (e.g., Credant) or antivirus protection (e.g., McAfee, Symantec, F-Secure), but we have yet to see any company that provides an all-in-one capability that includes policy enforcement and compliance integrated with an overall corporate compliance capability. In fact, we believe that smart device compliance issues are far more dangerous and need to be addressed more urgently, than smart device solutions for spam or viruses in the short term (1-2 years), where many of these companies seem to be concentrating their efforts.
We believe the companies best positioned to address the smart device compliance issues are those that provide a wide array of security compliance and protection products (e.g., Symantec, McAfee). Yet they are, so far at least, ignoring this market. Enterprises should be pressing these vendors to extend compliance monitoring and control to these smart devices, and doing it soon while the risk is still relatively limited. Further, we believe the companies should engage in appropriate partnerships to enhance the security/compliance of infrastructure components that nearly all enterprises use (e.g., email, IM, SMS). Finally, enterprises should examine all existing compliance policies and extend them to include the growing array of smart devices and new forms of collaboration so as to avoid as much as possible any new risks associated with these devices.
Bottom Line: Companies must take the initiative to assure compliance within their growing community of smart device users. As these devices become more capable and prevalent, the risk will grow substantially. It is important to have a strategy in place within the next 9-12 months to mitigate the risks as much as possible, and bring these users in line with the policies and procedures in place for users of traditional devices. Failure to do so may cause a major breach, and a very stiff penalty.
כותב המאמר הנו: