Yesterday we reported on the importance of insurers tempering enthusiasm for mobile initiatives with realism about the new security exposures this new channel can introduce. Today we follow up with Chris Potter, a U.K.-based information security partner with PwC, who elaborates on his recommendations for a mobile security strategy.
Potter says that it's important that insurers be clear about the planned usage when developing a security strategy for mobile devices to be. A good way to think of this, he says, is in terms of the "who," "what" and "how." He advises insurers to ask the following four questions:
- Who within the organization should be able to use smart phones or tablets to the organizations' systems, and what technology defenses will ensure that only their devices can connect?
- What will they be able to connect to? Is it just email and calendaring, or is the plan to give access to transaction processing systems or those that handle personal data?
- What devices will be allowed to connect? Some mobile operating systems are more secure than others -- which will the organization support?
- How will they connect? In particular, will data be stored on the local devices (or downloadable onto them)?
Once an insurer has registered the answers to these questions, the security strategy should next consider what processes and technology controls need to be put in place to mitigate the security risks, according to Potter.
"There are two main risks here: legitimate devices could be lost or stolen, or an unauthorized device could be used to break into systems," Potter cautions. "It's generally a good idea to ensure there is strong authentication and encryption on the mobile devices themselves. For corporate mobiles in particular, there are mobile device management solutions which allow an organization to wipe the data on a mobile that is reported lost or stolen and lock it out of corporate systems."