Four Ways to Mitigate Mobile and Cloud Data Leaks

CIOs push data into the cloud. Employees post ever more personal and professional information on social-networking sites. And as the WikiLeaks organization talks about releasing secret information about Swiss bank accounts—on top of rumors that it may disclose documents from a large bank in the United States—CIOs find themselves reviewing internal policies and answering questions about security from their CEOs.

“Oh yeah, we’ve had a lot of questions,” says Srini Cherukuri, senior director of IT operations at Matson Navigation, a $1.2 billion ocean shipping company. And, he admits, he doesn’t yet have all the answers. The same CEOs who fret about WikiLeaks also expect to do company business on their shiny new personal smartphones and tablets. That’s a bigger threat, Cherukuri says.

Frank Modruson, CIO at Accenture, agrees. No technology or policy can reliably prevent a leaker from leaking, he says. “WikiLeaks is more of an HR and legal issue than a technology one. Somebody who was trusted shared information he wasn’t supposed to.”

Banning consumer devices at work won’t stop people from using them, Modruson says, which creates a bigger risk. “The most difficult things to secure are the things you don’t know you have.”

Insider threats always exist, but consumer technology and cloud computing present a more urgent risk that CIOs must mitigate. Here are four tips:

Have a smartphone policy. Employees lose smartphones and CIOs have to worry about the corporate data stored on those lost devices. In the absence of tools that can remotely erase just the business information from missing smartphones while leaving personal data untouched, Matson Navigation has had to enact a harsh policy. That is, if you lose your phone, Matson erases all the data on it. At the same time, Cherukuri encourages employees not to download company data onto their personal devices. He predicts it’ll be another year before vendors come up with reliable “scalpel” software that lets IT departments erase individual pieces of information from a phone.

Enforce password use. Most smartphone users don’t bother setting up a password to lock the device, but CIOs should mandate that they do it, says Henning Hagen, a principal at Booz and Co. In fact, he advises varying levels of authentication to provide tight security when a phone goes missing. Experiment with adding secret questions, tokens that generate one-time passwords and biometrics that match fingerprints.

Take the reigns of the iPad. Some of the executives at Focus Brands, a franchisor of the Carvel, Cinnabon, Moe’s Southwest Grill, Schlotzsky’s, Auntie Anne’s and Seattle’s Best Coffee food franchises, use iPads to access e-mail, calendars and the Internet. Focus Brands’ CEO also uses his iPad for e-mail, among other things, says Todd Michaud, the company’s vice president of IT. But because he hasn’t fully figured out how to secure iPads, Michaud has so far limited their rollout, he says.

Control the cloud. Not only should CIOs make a map of which cloud providers have what portions of their corporate data at any given time, they should also become experts in all the security standards that apply to their company, advises Cherukuri. Before signing a deal with a cloud vendor, run through the list of security measures in detail to be sure it complies. Regularly verify that security agreements are upheld, perhaps by assigning a staff member to monitor outside providers regularly. Look at audit logs, have conference calls and visit the locations where they keep your data, he advises. “You want to examine their processes on the ground.”

Follow Senior Editor Kim S. Nash on Twitter: @knash99.