Business Continuity and IT Security: Give Up or Give In?

There are different ways of looking at IT security involving end-user equipment such as PCs and mobile computing devices. One is to batten down the hatches at a corporate level, repel all viral boarders and let end-users fend for themselves. Another is to extend security to all end-user devices and take responsibility for maintaining data integrity and confidentiality from beginning to end. Whether or not your organisation has a choice in the matter may come down to the nature of your business.  How then will you know which approach you should consider?

The recent trend in the use of personal mobile devices (tablets, smartphones) has led enterprises to try to extend conventional asset management to cover this new generation of devices and their owners. The challenge however is not just in the multiplication of configurations, software and operating system versions. With applications and data held in the cloud for example, the tablet or smartphone takes on a role of a screen, a window onto a computing world beyond the device itself – or to use terminology from a previous era, a role of a dumb terminal. From this perspective, user insurance against theft of a device and personal anti-virus software might be about the only two IT security measures to be taken for the device itself. Corporate security on data and application access then takes care of the rest.

The difficulty comes when business data is stored within the device, for example for use in an application native to that device. A recent (2010) case involving a US health insurance company, AvMed in Florida, illustrates the point. The company reported the theft of two laptop PCs containing data on over 1.2 million customers. Although real damage was not proved, AvMed agreed to not only pay for losses incurred as a result of identity theft, but also to reimburse customers for money the company did not spend on ensuring mandatory health-sector IT security. In short, this was one case of an organisation that should perhaps have given in to legal IT security requirements, rather than giving up on end-user devices.