Flaw 2: We use disk encryption and VPN —that's enough
Don’t assume that basic data at rest encryption (file, folder, drive) and data in motion encryption (VPN) are the best efforts to protect information on mobile devices. Conventional security boundaries no longer exist in the mobile world. Encryption cannot be guaranteed by platforms, operating systems or apps. Taking an information-centric view assumes that information is at risk unless restricted. It will account for the possibility of poorly defended devices and networks, targeted attacks at offices, conferences, etc. Data should be continuously encrypted at rest and in motion.
Flaw 3: We’ve never experienced mobile data leakage
Don’t assume that your information is not important enough to make you a target for a data breach or the chances of a leak are too small to bother. In reality, every company has valuable information about customers, suppliers, investors, bank accounts and more. The information-centric view assumes an incident can happen to any company and any person. Protecting all information by default is better practice than assuming that data in the clear within the defense perimeter would not be accessed. This protects not only your own company, but also your supply chain, investors, contractors and others for whom you retain information.
Flaw 4: We can talk our way out of this data breach
Don’t assume your investors, customers and supply chain will accept excuses after a breach. No one who’s been the victim of information theft feels empathy for the company that lost their information. While cyber insurance is a valid business investment to cover loses after breaches, claims will become harder to collect and prices will go up.
“ Information-centric data protection is your safety net when other defenses fail to stop leaks.”
Information-centric data protection is your safety net when other defenses fail to stop leaks. It also gives mobile users far more flexibility to work safely with and to share protected information. Security leaders must remember that the ultimate goal of attacks is to obtain information. Organizations have ethical, moral and legal imperatives to protect the information entrusted to them.