kentoh - Fotolia
Experts often talk about IT compliance in terms of highly regulated industries -- financial, healthcare and government -- but the truth is that most industries have data protection obligations.
HIPAA, PCI and GDPR are some of the major laws that dictate compliance standards for IT, but there are many local regulations that govern data disclosures and privacy that organizations must also take into account.
Some organizations focus on securing PCs and laptops, but this approach overlooks the current generation of mobile devices and their ability to cause compliance issues.
What mobile compliance requirements are common in the enterprise?
Mobile devices -- especially in a BYOD scenario -- create unique compliance challenges. This is especially true with the relatively recent GDPR, which affects most organizations even if they aren't based in the EU. GDPR has a number of disclosure and control requirements. They are as follows:
- Provide notice of any personally identifiable data collection.
- Notify the public of any data breaches.
- Obtain consent of any person whose data is being collected.
- Follow record keeping requirements on how data is stored and used.
- Allow people whose data is being collected to see, modify and delete any information about themselves.
The current U.S. federal, state and local regulations don't go that far in most situations, but the U.S. may expand to a similar level of regulatory severity in the near future. Best practice dictates that IT should meet the most stringent criteria across its organization to become future-proof, avoid major noncompliance penalties and prevent customer backlash.
Why is mobile compliance so difficult to manage?
Mobile device data breaches can be particularly problematic because many organizations don't have the appropriate monitoring capabilities to determine if devices have been breached. Sixty-five percent of companies believe their mobile devices have never been hacked, but 50% to 65% of mobile users answer yes when asked if they have ever experienced a data breach, according to research from J.Gold Associates LLC. Obviously, there is a major gap in enterprise knowledge of mobile security incidents.
The vast majority of organizations aren't certain what data users store on their mobile devices. This is a major challenge from a mobile compliance perspective and could cause disaster for any audited organization.
What can IT do to meet mobile compliance regulations?
To comply with major regulations and address the threat of mobile security incidents, IT should establish a fully vetted, organization-wide mobile policy. This policy should clearly define what information users can store locally such as customer lists and personal data, when and how users can operate their mobile devices, which corporate systems they can connect to and levels of login requirements such as biometrics, single sign-on and encryption.
To enforce these policies, organizations must install and maintain a high level of mobility management through an enterprise mobility management (EMM) or unified endpoint management (UEM) tool from a vendor such as BlackBerry, Citrix, IBM, MobileIron and VMware. Without a strong mobility management suite, IT can't fully set appropriate policies and monitor data use and flow well enough to maintain compliance with all required regulations.
IT departments in highly regulated industries are likely already aware of what's required in their field. In some cases IT will maintain its own systems to assure compliance, and in some cases organizations will outsource mobility management to a third party that is well-versed in compliance issues.
Organizations without an internal compliance plan for mobile users should either install one, seek guidance from a consulting group familiar with compliance topics or fully outsource compliance to a third party that can specialize in mobility. While there aren't many examples of major mobile compliance failures and data breaches, mobile compliance is nevertheless a growing issue. Mobile devices today have huge storage capabilities and nearly unlimited connectivity to corporate systems, so they are lucrative targets for malicious actors.
It is very likely that some organizations' mobile devices have been hacked without even knowing it. It's imperative that all organizations, not just regulated ones, take mobile compliance seriously and ensure that their mobile devices are as compliant as their installed base of PCs. Failure to do so could result in major fines, loss of customers, negative public relations and in some cases even executives going to jail.