cybersecurity in the age of mobility

Building a Mobile Infrastructure that Promotes Productivity

Cybersecurity in the Age of Mobility:

An Economist Intelligence Unit research program sponsored by Booz Allen Hamilton

List of Interviewees Chua Kim Chuan Director, Identity & Security Services, Information Systems Division, MOH Holdings Pte Ltd., Singapore

Tom Downey Director of Excise and Licensingof the City of Denver, Colorado, USA

KeiTh GoRDon SVP, Security, Fraud and Enrollment Executive at Bank of America for online and mobile channels, USA

anDRew mCinTyRe CEO, Medical-ObjectsPty Ltd, Australia

PaTTy meChael Executive Director,mHealth Alliance, USA

maRK olson CISO, Beth Israel andHarvard Medical School, USA

neil Robinson Senior Analyst, RAND Europe

Rajesh yohannan Regional Head of e-Business, Citibank Asia

About the Survey In August 2011, the Economist Intelligence Unit conducted a global survey, sponsored by Booz Allen Hamilton, of 340 executives to assess attitudes toward cybersecurity in the age of mobility. About one-half (51 percent) of survey respondents are board members or C-level executives, including 74 CEOs. The respondents are based in North America (31 percent), Western Europe (29 percent), Asia-Pacific (27 percent), Middle East and Africa (6 percent), Latin America (5 percent), and Eastern Europe (3 percent). More than one-half of the survey respondents (55 percent) work for companies with global annual revenues exceeding US$500 million. Nineteen different industries are represented in the survey sample, including financial services (21 percent); healthcare, pharmaceuticals, and biotechnology (13 percent); professional services (9 percent); transportation, travel, and tourism (9 percent); IT and technology (7 percent); and manufacturing (7 percent).

Contents

Executive Summary .................................................................................................................. 2

Introduction ................................................................................................................................ 3

The Benefits of Mobility .......................................................................................................... 5

Mobility Hazards and their Remedies ................................................................................ 7

Loss of Mobile Devices ............................................................................................................ 8

Vulnerability from Downloads ............................................................................................. 9

Sidebar: Financial Services: Pushing the Envelope .....................................................10

Inefficient Back-up Procedures ..........................................................................................11

Responding to Mobile Security Challenges ..................................................................12

Proper Back-up Procedures .................................................................................................13

Network Security and Remote Access .............................................................................13

Developing Company Policies and Leadership............................................................14

Sidebar: Healthcare: Meeting Opportunities as Well as Threats ............................15

Conclusion .................................................................................................................................16

About Booz Allen ....................................................................................................................17

About Economist Intelligence Unit ..................................................................................17

Cybersecurity in the Age of Mobility 1

Executive Summary• The asCenDanC y of mobile ComPuTinG offeRs ComPanies enoRmous

oPPoRTuniTies To imPRove PRoDuCTiviTy, while PResenTinG Them wiTh a

seRies of new seCuRiTy ChallenGes. The ubiquity of mobile devices encourages more people to take care of routine matters via simpler online apps. It also has the potential to make structural enhancements in productivity. But to capitalize on these benefits, companies will have to tackle a host of challenging new security issues.

• The RaPiD Rise of mobile DeviCes has leD To a CoRResPonDinG Rise in mobile

CybeR ThReaTs. Mobile devices are more likely to be lost through theft, accident, and negligence. The “app store” culture of mobile devices leads to promiscuous downloads of risky software by end-users. Mobile devices are likely to be connected through unsecured and even hostile “Wi-Fi” network access points. And mobile devices are more likely to be treated by the end-user as personal property not subject to the usual security practices of the organization.

• The move To ClouD ComPuTinG is ComPliCaTinG The TasK. The most fundamental organizational response involves setting up frequent and easy-to-use back-up procedures for mobile devices. But organizations have incomplete and inadequate traditions for backing-up and securing data stored in mobile devices. Giving employees “anytime, anywhere” access allows them to be more productive, but that access inevitably weakens the central network’s defenses against intruders. Some organizations respond by setting up finer-grained controls over remote access.

• The mosT funDamenTal PRoblem wiTh mobile seCuRiTy is a laCK of awaReness.

Companies should make educational efforts on mobile computing a company priority. Cyber-mobility policies need to address personal use, privacy, security of connection, and how to handle missing or stolen devices.

• iT DePaRTmenTs neeD To suGGesT new mobile TeChnoloGies To oTheR funCTions

To DemonsTRaTe ThaT They wanT PRoGRess anD Can TaKe The leaD in imPlemenTaTion. To do so, it is important to construct explicit projects with defined targets, benefits, costs, and budgets. It is also important to set milestones of success and assess the value that security provides. • •

2 Cybersecurity in the Age of Mobility


mobile DeviCes have TaKen The woRlD by sToRm. The Economist Intelligence Unit estimates that four billion people use mobile devices of one kind or another. Three billion are using feature phones to call and text, but one billion are now using smartphones to access the Internet as well. The global movement to smartphones is still in its infancy. The devices are likely to experience double-digit sales growth for the next 5 years as the world builds out 3G wireless networks and the devices themselves become more powerful.

Introduction: The Magnitude of the Challenge

The move to smartphones will have a profound qualitative impact on computing. In 2014, more people will be accessing the Internet through mobile devices than via desktops, if current trends continue. This will change the nature of the global workplace. The Internet will be much more pervasive and embedded—the computing power necessary to perform many work tasks will be always on and available almost everywhere.

The ascendancy of mobile computing offers companies enormous opportunities to improve the productivity of a company’s employees. A few companies will continue to restrict their operations to a traditional workplace. But the vast majority will have to harness cyber mobility to remain competitive. To do so, they will have to tackle

a host of challenging new security issues discussed in this report.

Both opportunity and difficulty lie clearly visible. According to the global survey of senior executives conducted for this report, organizations are already moving with determination to gain an advantage. Four in 10 executives (42 percent) say their organizations have revised business strategies in the past 3 years to reap the benefits of cyber mobility. The biggest problem caused by cyber mobility, according to the same executives, is new security threats (cited by 62 percent). Information is becoming a more central and essential organizational asset. Balance-sheet health has less to do with inventories of iron ore or shipping containers, and more to do with the

A Definition In this report, and in the survey conducted for this report, cyber mobility is broadly defined as “the ability to work anywhere (i.e., remotely from the office) through the use of mobile device(s), such as laptops and cell phones, and other devices that are connected to the Internet and are often used to enhance productivity.”

“Balance-sheet health has less to do with inventories of iron ore or shipping containers, and more to do

with the knowledge held by experienced employees and digital records about prospective customers. ”


knowledge held by experienced employees and digital records about prospective customers. Techniques for protecting and managing those intangible assets lag behind our needs, however. Even in the face of compliance laws including Sarbanes-Oxley, HIPAA, and PCI, massive data breaches regularly occur.

FIgure 1 rapidly rising Connectivity

Source: ITU World Telecommunication/ICT Indicators database

This report, written by the Economist Intelligence Unit and sponsored by Booz Allen Hamilton, explores cyber mobility and its security challenges. It details how—for a motivated and alert organization—security can be not just a problem, but also a strength.

Developed World Developing

Mobile Cellular Subscriptions per 100 Inhabitants, 2000-2010

0 2000 2001 2002 2004 2005 2006 2007 2008 2009 20102003

120

100

80

60

40

20

Inte

rnet

use

rs/p

er 1

00 in

habi

tant

s

The developed/developing country classi�cations are based on the UN M49. See: http://www.itu.int.int/ITU-D/ict/de�nitions/regions/index.html


The Benefits of Mobility

mobiliTy offeRs many benefiTs To businesses but the core opportunity is enhanced staff productivity. Employees who are more connected—on the road or at home—are more efficient. In a 2011 report from the US Office of Personnel Management (OPM), 31 out of 33 federal agencies that track telework programs said they believed that enhanced productivity was the greatest benefit of mobility. “Look at the tablet technology,” says Mark Olson, CISO at Beth Israel and Harvard Medical School. “A physician can pull up specific results and tests on the iPad to show at the patient’s bedside.” In addition, he notes, physicians can review information on the go, even walking between buildings, to enhance their productivity.

Glossary of Common Mobile Security Terminology

App: Short for “application,” which is typically downloaded from an app store

Cloud Security: Security moves from “manual” protection of individual devices to the cloud, where a third-party provider is usually responsible

DLP: An acronym for Data Loss Prevention, DLP unifies protection

from all hazards to data health, whether intentional or accidental, within the data center or at a remote location; DLP generalizes “back-up” and “disaster recovery”

Endpoint Security: The idea that each individual device (an endpoint) should be secured, as opposed

to “centralized” or “moated” security, which emphasizes safety behind firewalls

MitMo: Short for “man in the mobile”, which is a type of malware that allows the perpetrator to monitor what the remote user does on the screen

Mobile Malware: Short for malicious software specifically designed for

mobile devices, often distributed via e-mail or app stores

Phishing: An attemptto get users to click on a malicious link typically embedded in an e-mail or SMS

Security Token: Typically a small physical device through which users authenticate themselves

The ubiquity of mobile devices provides another benefit: It also encourages more people to take care of routine matters immediately, via simpler online apps, rather than waiting for somebody to help them. The US public sector is making the most of this trend by offering more mobile government (m-government) information and services to constituents. Tom Downey, Director of Excise and Licensing of the City of Denver, Colorado, emphasizes that migration to online “e-systems” allows more citizens to “self-serve,” freeing trained staff to shift attention to strategic efforts.


Given the potential benefits, organizations are increasingly relying on mobility. One-quarter of executives say their organization relies on cyber mobility to an overwhelming extent, and another 49 percent say it is of equal importance to productivity as other factors. Eighty percent of executives also say mobile devices will be more important to their work 3 years from now compared with today.

Mobility also allows companies to:

• Launch and evaluate projects more quickly and with less overhead

• Improve service quality, allowing them to sidestep competition based on price

• Improve the length and intensity of customer relationships.

Survey respondents agree about the key benefits of mobility. Flexibility (chosen by 89 percent) and increased productivity (75 percent) are overwhelmingly cited as benefits, while a smaller number also say cost savings (24 percent). These potential benefits have caused more organizations to rely on mobile devices.

Cyber mobility can do more than boost productivity in a quantitative way: It also has the potential to make structural enhancements in productivity. Putting an iPad in a doctor’s hands can improve face-to-face encounters with patients, but it can have more dramatic effects when the physician is away on rounds at a different facility. If new results arrive for a patient, a nurse can update the physician, transmit test results, receive instructions based on the physician’s assessment of those tests, and start a new procedure hours before the physician is scheduled to return. In this situation, little of the doctor’s time is saved, but the impact on patient well-being might be enormous. More generally, cyber mobility’s greatest potential is not merely in saving costs, but in yielding greater results in revenues, profit, or other output measures.

Mobility also offers benefits on a more strategic level: It allows companies to extend their business and their brand beyond the bounds of the physical setting of their company. A well-designed mobile app allows a retail company to sell to customers anytime and anywhere—far from its bricks-and-mortar locations. For strategic executives, this is the ultimate goal: to be able to scale a good brand experience across town or across a continent. Cyber mobility opens the possibility for brand scaling beyond traditional approaches limited by physical presence.

80%of exeCuTives also say mobile DeviCes will be

moRe imPoRTanT To TheiR woRK 3 yeaRs fRom now

ComPaReD wiTh ToDay.

“One-quarter of executives say their organization relies on cyber mobility to

an overwhelming extent, and another 49 percent say it is of equal importance

to productivity as other factors.”


ComPanies ThaT wanT To TaKe aDvanTaGe of the widespread promise of mobile devices will have to face a number of important security issues. The rapid rise of mobile devices has led to a corresponding rise in mobile cyber threats. In 2010, security company McAfee reported an increase in mobile malware by 46 percent, compared with the previous year.

FIgure 2 In your view, what are the biggest benefits associated with cyber mobility?Select up to three.

Source: Economist Intelligence Unit survey, August 2011

Mobility Hazards and their Remedies

But hostile actors may be growing faster than the mobile sector itself. According to Cisco’s 2010 Annual Security Report, improvement in traditional computer security awareness has led cyber criminals to target mobile users since the latter are generally less knowledgeable about the threats facing them and are, therefore, easier prey.

89%

75%

25%

24%

17%

12%

9%

5%

4%

Greater work �exibility

Increased productivity

Decentralization of key business operations

Lower cost structure

Improved innovation

Taking advantage of new market opportunities

Greater understanding of important future trends

Increased revenue growth

Increased pro�tability

Deepened knowledge of consumer trends

Other, please specify

Don’t know

4%

3%

1%

The threats are fueled by a number of issues:

• Mobile devices are more likely to be lost through theft, accident, and negligence;

• The “app store” culture of mobile devices leads to promiscuous downloads of risky software by end-users;

• Mobile devices are particularly apt to be connected through unsecured and even hostile “Wi-Fi” network access points;


The inCReaseD use of mobile DeviCes has made loss of the device an important problem. “You don’t lose your desktop,” says Rajesh Yohannan, Regional Head of e-Business, Citibank Asia. Yohannan notes that most of the data kept on mobile devices are recoverable because most organizations and individuals back up crucial assets, and the actual device can be replaced. He is particularly concerned, however, about protecting the data on a lost mobile device from cyber criminals.

Keith Gordon, SVP, Security, Fraud and Enrollment Executive at Bank of America for online and mobile channels, USA, is also concerned about this

“A cyber criminal who came across their device would have instant access to all of the data on the device and on the apps associated with it. That would allow them to correlate this information against other data sources and do significant damage.”

• Organizations have incomplete and inadequate traditions for back-up and securing data stored in mobile devices; and

• Mobile devices are more likely to be treated by the end-user as personal property not subject to the usual security practices of the organization.

Loss of Mobile Devices

issue. He notes people often put a lot of sensitive information into their phones. They set up e-mail accounts, store passwords, and download apps such as Facebook, which allows them to be signed in at all times. A cyber criminal who came across their device would have instant access to all of the data on the device and on the apps associated with it. That would allow them to correlate this information against other data sources and do significant damage. “You steal a phone for its virtual value—the information that is on it, the passwords that are stored there, e-wallet type programs,” agrees Neil Robinson, Senior Analyst at the RAND Europe think tank.


unsusPeCTinG useRs ofTen DownloaD

unfamiliar apps and information to their mobile device. “Cyber crooks see it as an opportunity because awareness is low,” says Yohannan. In the survey conducted for this report, about one-half of all executives confirm that they have downloaded an app for business use as well as personal use,

FIgure 3 Which of the following activities have you done on your mobile device(s) in the past three years? Select all that apply.

Source: Economist Intelligence Unit Survey, August 2011

Vulnerability from Downloads

indicating that they are downloading apps to a great extent and that they also mix business and personal use. Yohannan says users must be more careful of what they download and points out that this includes e-mail attachments, which are rarely scanned for viruses or malware.

92%

90%

87%

84%

76%

54%

51%

51%

6%

Checked business email

Made a business phone call

Browsed the Internet

Made a personal phone call

Checked personal email

Downloaded an app for business use

Downloaded an app for personal use

Downloaded a security update

I don’t have a mobile device


2%


Financial Services: Pushing the EnvelopefinanCial seRviCes aRe movinG to take advantage of mobile computing platforms in a big way. “The way we communicate with our customers and the way we market our services is changing radically,” says Rajesh Yohannan, Regional Head of e-Business, Citibank Asia. In the 18 months since it started its Asian mobile banking service, Citibank already has 500,000 users signed up.

Financial services executives queried in the survey conducted for this report are promoting mobility to a greater extent than their peers in other sectors. For example, 34 percent of them say their industry relies on mobility to enhance productivity compared to 21 percent of executives as a whole. Half (51 percent) of financial services executives also say their organization has revised its business strategy to reap the benefits of mobility compared to 42 percent of respondents as a whole.

But the financial services industry faces greater risks than others. Individual hackers and organized crime groups are actively seeking to exploit the slightest vulnerabilities. Keith Gordon, SVP, Security, Fraud and Enrollment Executive at Bank of America, who conducts a monthly intelligence review of the top threats to the bank, says endpoint security was his biggest concern in early fall 2011. That was followed by customer spoofing—such as phishing, application security, mobile malware, and data loss. To improve security, Bank of America is doing three things: “We have pre-built security into our applications, we don’t store any unnecessary data on the phone, and any data stored is encrypted,” Gordon says.

Banks are also keeping a closer tab on the evolution of threats and informing customers about their risks. “We scan forums where cyber criminals hang out to track attacks even before they happen,” confirms Yohannan, who goes on to explain that many perpetrators will discuss upcoming attacks with their peers before executing them. Citibank has a group of people dedicated to this cause, while other groups look to deal with the actual attacks and their aftermath.

Educating consumers is another way to improve security. Like many others, Bank of America will proactively alert customers when there is unusual account activity. A more innovative approach taken by the bank is to give their customers one free year of protection from McAfee, a security software company, in the hope that those customers will value the McAfee service and continue to use it beyond the trial period, according to Gordon. • •

51%of finanCial seRviCes exeCuTives say TheiR

oRGanizaTion has ReviseD iTs business sTRaTeGy To ReaP The benefiTs of mobiliTy...

compared to...

42%of ResPonDenTs

as a whole


App stores pose a different problem. In response to the growing number of attacks via malicious apps, the European Network and Information Security Agency (ENISA), the agency overseeing Europe’s cybersecurity, published a report in September 2011 about the security implications of app stores. It found that today’s malicious apps target a variety of platforms and can tap into smartphone data, from business e-mails to phone calls. “Consumers are hardly aware of this,” said the authors of the report, Dr. Marnix Dekker and Dr. Giles Hogben.

One of the biggest threats in this area has been various versions of Zeus MitMo, a malware that hides in the background of mobile apps and allows the perpetrators to gather information from unsuspecting users. “We have seen a big uptick in malware, such as Zeus for mobile,” says Gordon, whose company tracks the top five threats against them on a monthly basis (also see sidebar on page 10).

In principle, proper back-up procedures make it possible to recover data lost on a physical device. But typical back-up procedures for mobile devices leave a lot to be desired. Data are backed up incompletely and, often, insufficiently.

It is also difficult to determine exactly what data need to be backed up because the nature of “data” has changed. “Everything used to be stored on the device,” says Robinson. “But nowadays cyber mobility is hard to separate from cloud computing.” Because of this, mobile security has to be closely tied to cloud security. Concentrating on endpoint security by backing up individual devices is becoming less important than cloud security—making sure the cloud data scattered across the world are secure.

Inefficient Back-up Procedures

That change has also lead to shifts in responsibilities. In this new environment, back-up procedures are typically conducted by the cloud providers. “Companies of all sizes and individuals are at the mercy of providers,” agrees Robinson. Survey respondents also say the third biggest problem caused by cyber mobility in their organization today is the loss of control over data (cited by 34 percent).

Respondents agree with the commonly cited risks associated with mobility. They are concerned that their mobile device will be compromised as a result of loss (66 percent) and poor back-up procedures (55 percent). Downloads were fourth on the list of concerns (cited by 51 percent) after the use of insecure networks (52 percent), another growing problem which is associated with using various connections in remote locations.


The survey also revealed users may claim a higher degree of awareness regarding security than they put into practice. Nine out of 10 say they would alter their usage if they learned that it is likely that the information on their mobile devices can be

compromised. Yet, 64 percent say efficiency gains outweigh any potential security risks when it comes to working remotely, and 68 percent say the same about the use of mobile devices.

oRGaniz aTions ThaT wanT To TaKe

aDvanTaGe of The benefiTs of mobility must find a way to face the security challenges that come with them. Even explicit policies often remain incomplete; in any case, part of the nature of security is a demand for continuing vigilance

and renewal. At a tactical level, our survey shows attention in this area currently is focused on back-up procedures, security of remote access, and movement towards interoperability and standardization.

Responding to Mobile Security Challenges

FIgure 4 Which of the following areas are covered by your organization’s policy regarding the use of mobile device(s)? Select all that apply.

Source: Economist Intelligence Unit survey, August 2011

78%

71%

69%

68%

64%

64%

62%

58%

6%

Personal use

Privacy

IT support

Use of secure/insecure wireless connections

Security software

Missing or stolen devices

Downloads (apps/games/other)

Backup procedures or data loss


The guidelines are general and I am not aware ofmy organization having any speci�c policies

3%

Don’t know 0%


Proper Back-up Procedures

The mosT funDamenTal organizational response involves setting up frequent and easy-to-use back-up procedures for mobile devices. But the move to cloud computing is complicating the task. “This is where everyone struggles and we do as well,” Mr. Olson admits. Backing up the data is relatively straightforward. The bigger problem is securing the data in case the device is lost.

To deal with the possibilities of lost devices, Olson tries to limit the amount of data resident on a particular mobile device and encrypts it. “We use an approach where data are fetched, viewed, and destroyed, in order not to leave any information resident on the device,” he explains. All information is stored at a central data center. From there, he can recover what was on the device at all times (regardless of whether the actual device is recovered or not). Inevitably, however, a small amount is still left on the device. To deal with this problem, he adds a remote wiping capability that allows him to erase data remotely if the device is lost.

anoTheR biG PRoblem involves controlling how mobile devices get remote access to organizational networks. Giving employees “anytime, anywhere” access allows them to be more productive, but that access inevitably weakens the central network’s defenses against intruders. A remote connection can serve as a pathway that allows a malicious app to access other users on the internal network.

Some organizations respond by setting up finer-grained controls over remote access: someone with accounting responsibilities, for example, might be permitted to prepare reports, but not to transfer funds remotely. Olson says remote access to his organization is controlled via a series of security steps, including software installation, a secure sockets layer (SSL) connection, a virtual private network (VPN) and, of course, regular changes of passwords.

In Singapore, Chua Kim Chuan, Director of Identity & Security Services, Information Systems Division, MOH Holdings, the holding company of Singapore’s public healthcare assets, also uses end-to-end encryption and strong authentication procedures. But Mr. Chua Kim Chuan goes one step further by requiring that employees carry small devices that generate numeric “one-time” passwords. These information tokens add a physical element to the authentication process.

“The trickiest part is to design a process that is easy while providing security,” says Mr. Chua Kim Chuan. Neil Robinson agrees. “If there are too many steps and passwords, then users will write them down,” he says. Writing instructions on paper, of course, defeats the whole purpose of a security procedure: If someone finds that piece of paper, the system’s security collapses. To balance convenience and safety, many organizations still require only a user name and password—even for remote access. However, a number of studies have shown that this combination is inadequate in most security situations.

Network Security and Remote Access


While 71 percent of respondents agree that their organization has taken security measures regarding mobility, the quality of policies in this area may be uneven. When asked how prepared their organization is to address security or privacy threats in a variety

of scenarios, respondents are least confident with regard to mobile devices: Only 22 percent say they are well prepared in this area, compared with 50 percent who say the same about online access and 59 percent about the use of desktop computers.

FIgure 5 How prepared is your organization to address security or privacythreats to the following?

Source: Economist Intelligence Unit Survey, August 2011

Developing Company Policies and Leadership

Mobility is increasingly pervasive, and organizations must capitalize on it to remain competitive in the marketplace. Organizations must take a number of steps to respond to security challenges that mobility presents:

• Make educational efforts on mobile computing a company priority. The most fundamental problem with mobile security is a lack of

awareness. Yohannan believes the lack of awareness is pervasive in organizations and is not limited to users of mobile devices. Educational initiatives need to start within the organization. “We educate senior executives about security in terms they can understand,” explains Gordon. To educate users about phishing, he will show them an actual phishing

The physical o�ce location

The use of desktop computers

Online access

Mobile device(s)

100%

100%

100%

100%

59% 37% 3% 1%

59% 38% 2% 1%

22% 63% 14% 2%

50% 43% 1%5%

Well prepared Somewhat prepared Not at all prepared Don’t know


Healthcare: Meeting Opportunities as Well as ThreatsThe healThC aRe inDusTRy has GReaT hoPes foR mobile ComPuTinG. It is increasingly using mobility to enhance the productivity and flexibility of its operations and to meet demands from patients. Electronic health (e-health) initiatives are the most commonly cited benefit on the horizon. These initiatives typically focus on developing electronic medical records (EMRs), which allow employees to evaluate results remotely and communicate information quickly. Telemedicine (tele-health) allows doctors to see their patients virtually and consult them at a distance.

“From a security perspective, we have to look at all of this and see how we can enable it,” says Mr Olson about the future of digital healthcare. The industry is at a particular risk from mobility given the sensitive data it handles in the form of patient records. “We are mostly targeted for the information we hold about people and identity theft is our biggest threat,” observes Mr Olson. The primary suspects, therefore, are organized crime groups, rather than nation-states or thrill-seeking hackers. Their goal is to get a name and an address they can validate with another source. “The more data they can correlate, the more value it has on the black market,” he explains.

To deal with the threat, health organizations are creating a variety of security policies. Survey results lend support to the idea that healthcare is a leader in policy development. 84% of healthcare respondents say they have a policy regarding the use of mobile devices compared to 77% in other industries. According to survey responses, the policies adopted by healthcare organizations also cover important aspects of security to a greater extent, such as privacy (89% vs 71%) and missing or stolen devices (78% vs 64%).

The most pressing problem now, according to Andrew McIntyre, CEO of Medical-Objects Pty based in Australia, is not the lack of policy, but its implementation on the end-user side, as users of technology tend to trust vendors. Even in cases where suppliers clearly understand security matters, they feel little incentive to educate end-users focused on features and functionality outside the security domain. In addition to traditional logins and passwords, Dr McIntyre is promoting enhanced interoperability and better client-side security procedures, such as use of security tokens. “We can encrypt the transfer of data but we are stuck with a password to access it,” he says about the challenge to improve standards in the industry. “While the technology exists for client side tokens, virtually nobody uses it.”

One way in which to overcome such challenges, according to Mr Olson, is for the security team to push new products to the healthcare professionals, instruct them in their benefits, and demonstrate their use. “By doing that we are out in front of the partnership and we can control expectations and parameters of use,” he suggests. • •

Conclusion

The sTaKes assoCiaTeD wiTh failinG To esTablish PRoPeR mobile seCuRiT y aRe hiGh.

The costs associated with loss of a single customer record can be greater than a multiple of the lifetime revenues expected of that customer.

Companies also need to construct written goals with objective criteria and track successes and failures associated with mobile security. They need to demonstrate to employees and customers that the organization is committed to mobile security. They need to keep stakeholders informed about the company’s experience with mobile security issues, and monitor the impact of these efforts.

Security itself is often conceived in negative terms: data not leaked, lawsuits avoided, and authentication nuisances reduced. Once companies do these steps well, they will find that security becomes a positive value—customers and employees will become more comfortable and confident doing business with an organization known for its security leadership. • •


e-mail used by hackers. “Our dashboard has both the simple terminology as well as the technical one, but in the future I hope it will only have one,” he says about his initiatives to educate management.

• Create comprehensive mobile security procedures. If there are no mandated security standards, or if interoperability is an issue in secure communication, companies need to set the standard internally. “There is no substitute for strong policies,” says Olson, who is constantly looking to enhance security in his organization. It is also important to make sure strong policies and standards are executed well and enforced properly. At the very least, cyber mobility policies need to address personal use, privacy, security of connection, and how to handle missing or stolen devices.

• Encourage IT departments to lead by example.IT departments are often seen by other functions as an obstacle to greater mobility because they insist on various security policies. This can encourage IT departments to resist the latest technologies before proper security is in place or to establish too many passwords to access a system. “Security teams should be enabling teams rather than disabling teams,” stresses Olson. IT departments need to suggest new mobile technologies to other functions to demonstrate that they want progress and can take the lead in implementation. To do this, it is crucial to construct explicit projects with defined targets, benefits, alternatives, costs, and budgets. It is also important to set milestones of success to manage project risk, and develop technical capabilities to assess the value that security provides.

About Booz Allen Hamiltonbooz allen hamilTon is a leaDinG PRoviDeR of management and technology consulting services to the US government in defense, intelligence, and civil markets, and to major corporations, institutions, and not-for-profit organizations. Booz Allen is headquartered in McLean, Virginia, employs more than 25,000 people, and had revenue of $5.59 billion for the 12 months ended March 31, 2011.

Booz Allen understands that cybersecurity is no longer just about protecting assets. It’s about enabling organizations to take full advantage of the vast opportunities that the ecosystem of cyberspace now offers for business, government, and virtually every aspect of our society.

Those opportunities can be imperiled, however, by rapidly emerging cyber threats from hackers (hacktivists), organized crime, nation states, and terrorists. We help our clients in both business and government understand the full spectrum of threats and system vulnerabilities, and address them effectively and efficiently.

Booz Allen believes the key to cybersecurity today is integration—creating a framework that “thinks bigger” than technology to encompass policy, operations, people, and management. Through this Mission Integration Framework, organizations can align these essential areas to address the real issues, and develop cyber strategies and solutions that keep pace with a fast-changing world.

To learn more, visit www.boozallen.com. (NYSe: BAH)


About the Economist Intelligence UnitThe eConomisT inTelliGenCe uniT is PaR T of The eConomisT GRouP, the leading source of analysis on international business and world affairs. Founded in 1946 as an in-house research unit for The Economist newspaper, we deliver business intelligence, forecasting and advice to over 1.5m decision-makers from the world’s leading companies, financial institutions, governments and universities. Our analysts are known for the rigour, accuracy and consistency of their analysis and forecasts, and their commitment to objectivity, clarity and timeliness.

cybersecurity in the age of mobility

Technology

percent of survey respondents

usa55 percent work

usa mobility

global survey

mobile security challenges

age of mobility

survey sample

usa europe