Risk Management Approaches to Reduce Security Risks from Handheld and Mobile Devices

Organizations that permit employees to use handheld and mobile devices for work must have a written mobile device security policy as a risk management measure to protect the organization from the risks associated with the devices, said Catherine Mulligan, senior vice president, Zurich NA, speaking at a September 18, 2012, webinar “Cyber Security: The Growing Liability of Handheld & Mobile Devices,” held by Advisen Ltd. Risks include lost and stolen mobile devices, which may have confidential data stored on them resulting in data breaches; malware targeted at mobile devices; and web-based threats. When data breaches occur, federal and state regulations require organizations to notify individuals affected by the breach as well as federal and state regulators. For example, the Health Information Technology for Economic and Clinical Health Act requires that healthcare organizations notify affected individuals within 60 days following the discovery of a breach of unsecured protected health information. Mulligan recommended that the risk management plan for mobile device security include provisions explaining action steps for an employee whose mobile device is lost or stolen and the organization’s incident response plan. “Timing is critical,” she said, explaining that an organization must be able to act promptly if a device is lost or stolen—for example, to remotely access the device and delete any data stored on it.