Digital devices turn up the heat on corporate risk managers

More and more, people are walking sources of data, some trivial, some highly confidential. It's in their iPhones or their laptops or the tablets they carry from home or from work.

In recent years, a Minnesota hospital and a nonprofit in the health field separately had laptops stolen that contained patient information, including Social Security numbers. A department store had credit card information stolen.

Protecting that data is a new cottage industry.

Christopher Jeffrey is a partner in the Minneapolis office of the accounting and advisory firm of Baker Tilly who works with corporate clients in reducing the potential for data breaches. Jeffrey and Washington, D.C.-based Baker Tilly senior manager Mike Cullen last week talked to the Star Tribune about the security challenges in this data-driven world.

Q: How would you describe the level of interest in mobile device security these days?

Jeffrey: It's a conversation that I'm having with most of my clients right now. I currently have three to four projects involving the mobile device issue. This is an issue that is hitting the audit committee and senior management levels of my clients. Look at workers — everyone is carrying an iPhone or an iPad or a laptop. Many carry two or three of those devices and more and more security is something that companies have to deal with.

Cullen: There's a recognition now by companies that data has a real value for consumers, for competitors.

Q: How long has this issue been percolating?

Jeffrey: It's something that started coming up in the last couple of years but in the last eight to 12 months corporate boards and senior management have realized that there is a risk here that they need to be concerned with.

Q: How do you address those risks?

Jeffrey: It starts with good internal policies and procedures. People are bringing their own devices to the workplace and you need to know how that phone, for instance, interacts with your IT system. You need a procedure to manage each employee's devices that allows the company to wipe data from a phone if it is lost or stolen or shut the port.

We have an app called Airwatch for an iPhone. Data is never actually in the phone. It's like accessing a website. It allows me to view data instead of storing it. The IT department can shut the app off if need be.

Cullen: The number of devices per person has exploded. There's literally a new iPhone every month, which leads to issues with security. Solutions like Airwatch allow us to manage different devices.

Q: Are there horror stories about data breaches?

Jeffrey: Everyone can relate to laptops being stolen or phones being stolen. My buddy was in a New York deli and set his phone down for a minute and it was stolen. Those things happen all the time. Our laptops are highly encrypted, but that is not standard across the board. In 2005, TJ Maxx had credit card data stolen for 45.6 million customers that resulted in a $4.5 billion loss. Hackers are looking for branded names to get into all the time.

Cullen: Most of us have received letters from a bank or a credit card company about potential breaches of their security.

Q: How do you mitigate loss of data?

Jeffrey: Most breaches happen from the inside, either intentionally or unintentionally — responding to a phishing attempt, for instance. Prevention really starts with good policies and procedures. That can involve such simple things as just classifying data — what type needs to be confidential and what doesn't. You should store confidential data on a secure drive that is encrypted. You should have good password control. This is not rocket science. It's about knowing the risks that are out there. We're seeing clients move confidential data to the cloud or data centers.

Q: Can security be improved?

Cullen: Hackers are getting smarter. You have to keep up with what's happening in the world. Hackers go to the weakest point. It's hard to get inside the Bank of America but Bank of America works with a lot of smaller companies, and hackers go to the path of least resistance.

Jeffrey: I think we'll see biometric security features like fingerprint scanners, although someone has already figured out how to crack that. None of that is bulletproof by any stretch. With the growing use of smartphones to pay for items, security around that is going to become more and more important. Authentication questions like your dog's name or the street where you grew up or your mom's maiden name can all be found on Facebook. You have to watch what you put on social media. It all starts with common sense.

David Phelps • 612-673-7269