How to address mobile compliance in a business setting
When organizations plan for compliance and data security, they need to consider mobile devices due to their proliferation in a business setting and how easy it is to lose them.
Experts often talk about IT compliance in terms of highly regulated industries -- financial, healthcare and government -- but the truth is that most industries have significant data protection obligations.
However, the mobile compliance discussion remains underserved despite the growing use of Android and iOS devices to access sensitive customer data. The Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS) and General Data Protection Regulation (GDPR) are some of the significant laws that dictate compliance policy standards for IT, but there are many local regulations that govern data disclosures and privacy that organizations must also take into account.
For example, California has the California Consumer Privacy Act (CCPA), which applies to doing business with customers in that state.
The wholesale move to software as a service (SaaS) and cloud applications across many industries means compliance issues can affect PCs, laptops and mobile devices -- especially smartphones and tablets. Hybrid and remote work models enable employees and contractors to access sensitive corporate data from outside traditional corporate network endpoints.
What mobile compliance requirements are common in the enterprise?
Mobile devices -- especially in a BYOD scenario -- create unique compliance challenges because mobile workers have the same access to corporate data using a mobile app as they do on their corporate PC. These challenges only mount with the GDPR, which affects most organizations even if they aren't based in the EU. GDPR has several key disclosure and control requirements. They are as follows:
Provide notice of any personally identifiable data collection.
Notify the public of any data breaches.
Obtain consent of any person whose data is being collected.
Allow people whose data is being collected to see, modify and delete any information about themselves.
The current U.S. federal, state and local regulations don't go as far as GDPR in most situations, but the U.S. might expand to a similar level of regulatory severity in the near future. Best practice dictates that IT should meet the most stringent criteria across its organization to become future-proof, avoid major noncompliance penalties and prevent customer backlash.
Why is mobile compliance so difficult to manage?
Mobile device data breaches can be particularly problematic because many organizations don't have the appropriate monitoring capabilities to determine if devices have been breached in the first place.
Nearly half of the companies surveyed in the 2022 Verizon Mobile Security Index said they had suffered a compromise involving a mobile device in the past 12 months. Companies with a global presence were even more likely to have been affected. More than three in five -- 61% -- had been hit, compared to 43% of organizations with only a local presence.
Obviously, there is a major gap in enterprise knowledge of mobile security incidents.
Many organizations aren't certain what data users store on their mobile devices. This is a major challenge from a mobile compliance perspective and could cause disaster for any audited organization.
What can IT do to meet mobile compliance regulations?
Here are some strategies that IT departments can put into place to better prepare a mobile device fleet to remain compliant:
Establish and enforce an organization-wide mobile policy
To comply with major regulations and address the threat of mobile security incidents, IT should establish a fully vetted, organization-wide mobile policy. This policy should clearly define what information users can store locally, such as customer lists and personal data, when and how users can operate their mobile devices, which corporate systems they can connect to, and levels of login requirements such as biometrics, single sign-on and encryption.
Enforcing these policies requires an organization to implement a mobile device management (MDM), enterprise mobility management (EMM) or unified endpoint management (UEM) tool from a vendor such as Microsoft, Kandji or Jamf. Without an effective mobility management suite, IT teams can't fully set appropriate policies and monitor data use and flow well enough to maintain compliance with all required regulations.
IT departments in highly regulated industries are likely already aware of what's required in their field. In some cases, IT will maintain its own systems to assure compliance, and in some cases organizations will outsource mobility management to a third party, such as a mobility managed services provider (MSP) that's well-versed in compliance issues.
Implement an effective mobile security strategy across the device fleet
Mobile devices are at a higher risk of theft, loss or compromise in hybrid and remote work scenarios, thus putting sensitive corporate data at risk. Use an MDM platform to provide a standard level of encryption, secure authentication and remote wipe capabilities.
Managing corporate-owned devices makes implementing an effective strategy easier. Managing the compliance of BYOD endpoints becomes more challenging due to the diversity of configurations, mobile OSes and app versions across user devices. The only way to preempt these challenges is to spend the extra time to put in a support structure for BYOD, starting with device requirements governed by MDM policies to help ensure mobile compliance by the authorization of devices.
Institute a compliance plan for mobile users
Organizations without an internal compliance plan for mobile users should either install one, seek guidance from a consulting group familiar with compliance topics or fully outsource compliance to a third party specializing in enterprise mobility. These are some notable examples of mobile data breaches and compliance failures:
Zoom was found to share users' personal data with Facebook without user consent, violating HIPAA regulations. In 2021, Zoom paid $85 million for failing to comply with HIPAA regulations. Allegations included Zoom sharing users' personal information with Facebook and Google without user consent and lying about its encryption practices.
WhatsApp was fined $267 million in 2021 for violating GDPR related to a May 25, 2018, update to its Terms of Service.
Bank of America, Barclays and Morgan Stanley are among the banks that have disclosed agreements to pay as much as $200 million because of employee use of unapproved messaging apps.
Also, the Attorney General of the State of California announced an investigative sweep in January 2023 focusing on mobile app compliance. They sent letters to businesses in the retail, travel and food services industries that allegedly fail to comply with the CCPA, in particular, consumer opt-out requests or consumers who want to stop the sale of their data.
Regularly monitor and update software and devices
Just as IT teams must monitor and update the software, PCs and servers that comprise the corporate network, IT must extend a similar strategy over the corporate-owned and BYOD endpoints and software that interact with IT infrastructure and back-end systems to ensure security and compliance.
A PCI DSS publication entitled PCI Mobile Payment Acceptance Security Guidelines is an excellent example of a compliance standards body publishing useful best practices for mobile compliance.
Maintain accurate records
Managing the mobile device lifecycle with its accurate records is a necessity in meeting mobile compliance regulations. Records include tracking which devices an organization issues to employees, which employees have access to sensitive corporate data, and what security measures are on employee devices.
Hybrid and remote work require organizations to rethink how they educate their users about mobile security and compliance.
Deliver ongoing mobile security training to all users
Hybrid and remote work require organizations to rethink how they educate their users about mobile security and compliance. Mobile device security can no longer be a module in an online security awareness training course that's fluffy with little regard to specifics for the organization, leading employees to blow through the course so they can email their manager a PDF certificate.
Mobile security training in the hybrid and remote work era requires the following:
Dedicated mobile device training starting from the time of employee onboarding that focuses on security and compliance.
Publication and dissemination of mobile security-focused job aids and documentation through channels such as Notion or other centralized platforms.
Mobile security becomes part of team meetings and asynchronous communication channels such as Slack.
"Just-in-time" mobile security training as new threats surface in the industry or as the mobile security strategy changes is a necessary follow-up.
Take mobile compliance seriously
Some organization's mobile devices have likely been hacked without their security team knowing. It's imperative that all organizations, not just regulated ones, take mobile compliance seriously and instill that to the entire organization on a cultural level. IT and management must ensure that the entire fleet of mobile devices is as compliant as their installed base of PCs. Failure to do so could result in major fines, loss of customers, negative public relations and in some cases executives going to jail.
