For Andrew S. Braunstein, mobile data security is top priority.
As chief technology officer of HealthWyse—a Wilmington, Mass.-based firm that provides software and data services to the home care, hospice, and private duty markets—Braunstein is on top of the strict laws governing patient medical records, forcing firms like HealthWyse and its clients to exceed the security standards most companies set on employee mobile devices.
But some companies are falling behind, according to a new study conducted by the Palo Alto, Calif.-based Business Performance Management Forum. In some enterprises, other compliance related priorities are overshadowing the need to regulate
The BPM Forum interviewed a select group of executives and surveyed nearly 700 others finding that as many as 40% of these firms failed to regulate the use of mobile devices. While important information may exist on some mobile devices, companies are not taking this security issue seriously, said Adriano Gonzalez, vice president of strategy and programming for the BPM Forum.
"Many organizations are asleep at the wheel," Gonzalez said. "The answer that commonly surfaced was that they were not allocating enough in the budget to address the issue."
About half of those surveyed estimated that a minimum of 25% of mobile devices carry mission critical information. In addition, 27% of the respondents said that most of the mobile devices in their companies currently transmit proprietary enterprise data.
Businesses must track and archive billions of messages to comply with the Sarbanes Oxley Act, a set of federal regulations that protect against accounting errors and fraudulent procedures in the workplace.
Still, companies are not fully addressing data mobile device data transmission, according to the BPM Forum. The survey found that 21% of respondents said other compliance issues are taking a higher priority; and 12% said budget constraints have prevented them from taking action.
"Management is still largely concentrating on establishing legacy compliance," Gonzalez said. "They've forgotten about the major exposure related to mobile devices."
Braunstein, whose firm specializes in software for personal digital assistants (PDAs) in the healthcare industry, said he has seen firms act passively, relying instead on employee know-how. Other companies take an aggressive approach, making mobile devices almost useless. The challenge is to find a happy medium, he said.
"Large companies with sophisticated IT departments apply policies internally, but smaller firms have people who probably don't understand what they're doing with company data on their mobile devices," Braunstein said.
With more employees introducing consumer devices, such as PDAs, BlackBerrys and even iPods in the workplace, IT managers are trying to get upper level management to set strict policies about their use, Gonzalez said.
IT managers are not agreeing with management on the amount of time and money spent to address mobile data security, according to the survey. While 50% of compliance, finance and legal executives say that mobile compliance has a strong level of influence in the overall IT and network strategy, only 35% of IT officers feel the same way, Gonzalez said.
Despite the tools and encryption software available to protect sensitive data, respondents said it would likely take a major breach for management to act. The challenge is to get firms to begin by putting guidelines in place to educate employees, Gonzalez said.
"There are a number of companies that have not addressed the issue appropriately, but as organizations adopt more appropriate governance frameworks, those companies will follow," Gonzalez said.