But while the devices proliferate, their capabilities increase, and that actually brings a significant risk, since a single smart phone with a meager 8 GB of storage can carry enough proprietary, secret, sensitive, or otherwise private data to just about destroy a business–when the phone falls into the wrong hands. Thus, businesses and consumers alike are waking up to the risks of those handy gadgets.

Businesses must lead the way in managing the risk, and Paul Korzeniowski over at InformationWeek has a nice, short article entitled “Five Steps to Managing Mobile Devices.” It’s worth a read, and business owners and managers must start by getting over the psychological hump–you can manage the devices or, at the very least, you can make some decent headway to at least reduce your risk.

Here are Korzeniowski’s steps, in summary (please read the full article):

Step 1: Inventory Employee Mobile Devices

Step 5: Move To More Sophisticated Applications

Once again, here’s that link to the full article–worth a few minutes’ read. And, while we’re at it, it’s worth noting that insuring these devices is a very, very good idea as well. And it’s very affordable. See MyLaptopGPS Premier Partner Safeware Insurance for more information.

A nice summary article can be found at NextGov (thanks to Jake K at DataLossDB for that tip). According to the article, the White House review found that “quantifying the value of protection motivates organizations to address vulnerabilities.” And when it comes to crunching numbers, especially with dollar signs attached, the CFO is typically front and center. The message of the guide is clear and very well underscores the growing realization, worldwide, that data security is actually not “an IT issue.”

In many organizations–in fact in most organizations–the security of data is referred to the “IT department.” It is true that IT tends to be the proper group to actually implement protections. But what tends to happen, before solutions can even be discussed or pursued, is called the brick wall of “funding” or “budgetary appropriations.” Quite simply, IT isn’t given the money or the clout to really deal with “data security” and, lacking the leadership and key sponsorship of the CFO, it fizzles. A few steps may be taken but, far and away, the priorities fall elsewhere.

Back to the guide, or “handbook,” the cost estimates included are helpful to make the point that this is indeed a business-wide decision. Here’s an excerpt from the NextGov article:

The publication estimates a data breach of 10,000 records containing personal identification information would cost about $1.6 million, assuming the company carried breach insurance with an 80 percent coverage of direct costs. That sum includes direct expenses for investigations and forensics, consulting services, notification of affected individuals, public relations, legal defense, and credit and identity monitoring — as well as the indirect cost of lost business. The handbook cites several analytical models to help chiefs assess costs and benefits.

Steps to bolster protection also include learning to view digital safety as a business strategy rather than as an operational responsibility and leading a cyber risk team of appropriate subordinates organizationwide. This team should meet in person, if possible, the publication notes. Face-to-face interactions can prevent the confusion that often occurs when separate business units speak in jargon.

Very helpful, indeed, as even the “geek speak” of the day can cause crucial issues to be lost in translation. The news headlines are packed with examples of what happens when these issues aren’t solved in time.

Then, two weeks (to the day) later, Ponemon Institute released another superb study, sponsored by IronKey, this time entitled “Trends in Insider Compliance with Data Security Policies” with the following subtitle:

“Employees Evade and Ignore Security Policies”

If you are tempted to accuse me of collusion or conspiracy here, as if I was actually in on the Ponemon study, hold back! I had no involvement and knew nothing of the impending release. What I did know was the truth: employees evade and ignore security policies!

The study is full of juicy statistics that prove this critical, bottom-line fact.

So, this week’s Tip of the Week is to use good technology to “beat” employees. Not physically (I am pretty sure that’s illegal). Rather, defeat them. I hate to foster an adversarial relationship, but if you set policies designed to protect your business, and the employees undermine them, then in the end you need to employ methods to ensure effective protection.

A big piece of the puzzle is to develop good relationships with employees–the study itself even indicates that as employee good-will rises, non-compliance decreases, as we might expect.

But don’t rely on warm fuzzies to protect your critical data. Use unobtrusive technology designed not to be seen, heard, or messed with by employees. MyLaptopGPS is certainly one example, and IronKey’s own products are more examples.