Executives are also worried; and justifiably so. Given the recent litany of highly-publicized – and in some cases financially damaging – corporate security breaches, many executives have started to fret about the potential security risks that mobile may bring to their businesses.
And while this high level of paranoia and concern may simply be dismissed as the natural birth pangs of any new technology, the threat and risk must be taken seriously. Those that manage the risk well will find that this mobile revolution actually leads to greater security and privacy protection, while simultaneously delivering opportunities to engage with clients and customers in exciting new ways.
Being its own worst enemy
There is some truth to the idea that mobile – currently – is somewhat riskier than some other forms of technology or payment. In fact, some of the most compelling benefits of mobile also act as a double-edged sword. Their small size and compact design, while a key feature for consumers, also means that mobiles frequently end up lost in the back of cabs and other public places. Their small user interfaces and tiny keypads – central to their convenience – also tends to lead users to use shorter and often less secure passwords. And as more and more of our activities start to be enabled by mobile, so too will the amount of personal data that must be kept secure on our devices.
And the simple truth is that things are only likely to get more complicated as more and more devices come onto the market alongside an avalanche of new apps and functions. Each will open mobile up to weaknesses that can potentially be exploited by the nefarious.
But, taken in balance, it would seem that the potential security and privacy attributes of mobile may – in the long-term – far outweigh the risks. Already, many forms of mobile payments have become more secure than cash or checks. A lost wallet, for example, would require the estranged owner to cancel all credit and identity cards and essentially kiss any of the cash in the wallet goodbye. A lost mobile, on the other hand, can quickly and remotely be wiped clean and the data swiftly migrated to a new device – with money and identity intact.
New approaches to mobile security are now starting to emerge, many using the unique characteristics of mobile devices to reinforce and strengthen protocols. By using the geo-location feature of a cell phone when faced with a suspicious transaction, card companies can surmise – with a relatively high level of confidence – whether the cardholder was, in fact, present at the transaction. It’s not too far a leap to prophesize the introduction of biometric authorization using the device’s camera, or any number of new approaches that turn science-fiction into reality.
Taking a balanced approach
Rather than let security and privacy concerns paralyze the development of a mobile strategy, business executives must instead embrace mobile and – by carefully considering its inherent risks and opportunities – work to develop a sound strategy that reduces risk and safeguards data. And while security approaches will be different from company to company, there are a number of common considerations that may universally apply.
- Ease of use: Mobile security processes must be straightforward and convenient. The more complicated the process, the more opportunity is left open for phishers and hackers to take advantage. Executives must be sure that their security measures never start to overshadow the convenience of the mobile channel.
- Customer awareness: Education will be a key component of overcoming consumer’s security concerns. At the business-to-consumer level, this will require companies to clearly explain the measures they have taken to protect their customers. At the industry level, businesses must bind together to articulate the real risk profile of mobile to a skeptical general public.
- Technology planning: Executives will need to ensure that their developers and IT leaders are thinking about the deeper tactical implications of mobile and how these impact the risk profile for the company. For example, how much information will be stored on the device versus in the cloud? Will upgrades to applications be automated to ensure security gaps are quickly slammed shut?
- Ongoing verification: Given the speed of change in the mobile ecosystem, executives will need to focus on creating appropriate controls and governance processes to ensure that any changes to the platform or software are thoroughly tested and certified to meet the high expectations of customers.
The bottom line is that executives have every right to be wary of the security and privacy risks involved in mobile, but not to the detriment of their mobile strategies. Indeed, those that are able to manage and mitigate the risks while pushing forward with mobile innovation will almost certainly find themselves poised to dominate in this new market.
By Stephen Bonner, Partner, Information Protection and Business Resilience, KPMG in the UK