Security

Unsecured mobile devices could open a new back door into your network

What kind of security policies do you enforce on mobile devices and smartphones that employees bring into the office? Are unsecured mobile devices opening up a backdoor into your corporate network?

A study conducted by Credant Technologies shows that the use of mobile phones or devices for work-related matters is on the upswing. In a manner, this is surely good news, since what it means is that workers are increasingly being able to maximize their time -- especially since shipments of smartphones have been projected to continue increasing.

Some of the statistics from the survey are as follows:

  • 35 percent receive and send business e-mail
  • 30 percent use them as a business diary
  • 17 percent download corporate information, such as documents and spreadsheets
  • 23 percent store customer's information

In all, 600 commuters were interviewed at London railway stations. Interestingly, while 99 percent use their personal phones for some sort of corporate use or other, a quarter of them have actually been asked by their employer not to do so. The reason for that is simple enough -- the possibility of losing one's mobile phones to theft or carelessness could open the way to devastating data leaks.

In addition, unlike laptops where stored information is usually limited to whatever is on the hard disk, mobile devices are increasingly equipped and configured to tap into storage repositories and databases inside the corporate network.

The use of unsecured mobile devices

What I thought to be of particular concern here is the fact that 40 percent surveyed in this random sample failed to protect their mobile phones with even a rudimentary password. Extrapolating from this lack of security consciousness, the contents of media cards itself are likely to be similarly unprotected. I would not be surprised if the percentages of users without password or encryption were similar elsewhere.

The glaring problem here is that most mobile phones and many smartphones do not have inherent support for the security controls necessary for an enterprise lock down. Various solutions are available depending on the mobile platform used, with the RIM BlackBerry and Microsoft's Windows Mobile leaving the rest pretty much in the dust at the moment. Of course, a BlackBerry or Windows Mobile smartphone that is not configured -- or improperly configured -- remains unsecure.

To fill the gap for other platforms such as Palm OS and Nokia's S60, a number of third-party applications that provide security controls for them do exist. One such example would be Good Technology's Good for Enterprise application suite. Recently acquired by Vosto, the software suite brings enterprise device management and security -- among other features -- to a number of platforms and has native clients for Windows Mobile, Palm, and Symbian S60 devices. Yet other solutions would be Sybase iAnywhere or DataViz RoadSync. The caution here is that these are not specifically created to implement security, though they do offer some form of limited encryption (iAnywhere) or remote device wipe (RoadSync).

Whatever the approach, a deliberate strategy needs to be put into place to eliminate the presence of unsecured mobile device's ability to access the corporate network.

The absence of a mobile usage policy

While computer usage policies are common in organizations by now, the situation is different when it comes to policies pertaining to the usage of mobile devices. As it is, mobile usage policy needs to be in place and followed by the implementation of security controls. This is hardly as easy as it appears to be, since these controls have to span the entire organization hierarchy in order to be effective. In addition, loss remediation procedures need to be drawn up and made known.

Finally, another obvious action would be to educate all staff of the security and legal implications of downloading sensitive information to their own personal and corporate phones. An altogether more draconian approach would be to forbid employees to use their own phones for corporate purpose -- though its effectiveness is questionable unless corporate devices are furnished by the company.

In conclusion, mobility is expanding the corporate network far beyond the boundaries of the enterprise firewall. CIOs and administrators need to give a lot more thought into what needs to be done to address this enlarged network, and they need to get on with it quickly.

About

Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.

13 comments
rdg
rdg

Is there a way to use a conventional fax machine with VoIP?

rdg
rdg

is there any diffference between Windows Mobile and Blackberry (other than WM not working) in terms of security?

davem
davem

There's a bit of an us versus them mentality being expressed here. Rather than view the desire for mobile device access in adversarial terms, why not examine a few key security issues, develop solid intelligence on why these issues need to be taken seriously from the point of view of the business and present it to higher level management for their consideration. If the business case (I don't mean ROI or cost of servicing mobile devices, etc. I mean what will happen to the business when - not if - there's a serious security breach) is compelling, you can bet management will create a policy. Then, the onus is on them rather than IT, because it's their policy. Essentially, the idea is to instill the proper level of fear and anxiety that they will take responsibility for instituting some controls. Approached properly, IT would be perceived as a forward thinking ally that understands what matters to the business rather than a bunch of nerds that are focused on trying to minimize their work. Obviously, the latter perception is inaccurate, but it's also widespread. Treating management and users as the enemy, however, will only reinforce it.

Photogenic Memory
Photogenic Memory

I don't know what the hell I just said; however, is it possible for IT people to push back management on this? If you know that a new "swanky" device just isn't a good mesh with security of your network; is there some way to prove this and win against management? I mean you could create documentation, cite instances, or actually demonstrate the products weakness and inefficiency but that just creating more of a headache? Me thinks so. If employees want to buy their own devices and use them for company use( sensitive contacts and data ); can you have them fill out a form stating that THEY are responsible for the loss or potential breach taking the heat off of IT? Wow! So much work. So much work. Sorry. At 4am; I'm just a little bit jumpy.

Sportz
Sportz

Some get around security by purchasing their own mobile devices then request access to company data through that device, raising the possibility of mixing company and personal contacts, then forwarding sensitive data to others not privy. This is especially problematic for HIPPA designated information.

paulmah
paulmah

This really depends on whether the VoIP hardware supports fax. If you look at the VoIP hardware cards, some do, and some don't. Having said that, I have been using my cable-based VoIP (It's built into the cable modem) for faxing without any noticeable issues for years now. :)

paulmah
paulmah

You're have to be a bit more specific when you ask about the differences though. In a way, its akin to comparing apples to oranges. This is because BB and WM implement their push email very differently. Generally though, the BB is still generally acknowledged as being superior in terms of the sheer number of and granularity of security policies it supports.

Chaz Chance#
Chaz Chance#

Long before the invention of computers, the original mobile device, known as the briefcase full of papers, was getting left on trains, stolen, or photocopied and sent to newspapers. Why only the other day a prominent UK politician was photographed holding a top secret document in such a way that details of an anti-terrorist operation could be seen. If only he had put it in a secure manila folder, or imitation leather briefcase. It is almost as if he had wanted it to be seen. The problem has existed for a long time, it's just that because today the media tends to be electronic, foolishly the responsibility for it has been moved to the IT department. I mean, fancy expecting the same people, assigned with the task of making information available, responsible for making it not available! :) At least IT doesn't attract anarchists or people who believe that there should be no such thing as secrets. ;)

Sportz
Sportz

we say "No, no, no"...then it's run up the flagpole with the moniker "business need" and they say "Yes, yes, yes"...

cousintroy
cousintroy

To remedy the first concern you have for us, we require a digital certificate to connect any phone to our Exchange environment and there is no way for them to request it from a server. I have to physically install the cert on their phone so that is one we control access to sensitive email. As for the personal information on corporate phones that is one thing that we have talked about and need to address so we are in the same boat.

Beoweolf
Beoweolf

The unending, unexamined, breakneck acceleration of new (unproven, undocumented) formats has unfortunately allowed or at least provided an atmosphere where IT/Security professionals are being forced to compromise their networks to accommodate every college graduates vision of The next Big Thing. The general consensus seems to be ? ?Open up the network, now - then worry about security later?. Many diligent network managers are being bullied into premature deployment by upper management fiat. When the inevitable happens, a breach - either through an un-patched, un-recognized exploit, the blame falls on IT/Network services regardless of their documented warning or justified reluctance. Informed caution is often mistaken as being reluctance to move at the pace of technology. In many cases; when any reasonable controls are propose (NAP comes to mind), resistance, based on irritation or claims that its not "that" big an issue are proffered. The only thing you can do is increase the frequency of backups and implement an active, ongoing exercise plan with staff to make backup/restoration efficient, fast and well documented.

stevew
stevew

I, likewise, have the physical cert. But if the phone security (password) is not used and the phone is "misplaced", isn't this still the issue? Now someone else is accessing your emails and other info on your SIM or SD.

beldar33
beldar33

You have hit the nail right on the head. We in IT now have technology being driven NOT BY NEED...but by social status. "My buddy is CEO of XYZ corp and he has the new Blackberry or iPhone or ect ect ect and we were on the golf course and he was able to get an email! I could do so much more work if I had one of those things...I wouldn't have to be at the office anymore to work" I have as of yet to find a single client who is MORE EFFICIENT by purchasing a smart phone. What I do find is that the folks using these devices take more time away from the office doing things outside of actual work. They expect the company to foot the bill not only for the device but for the data plan etc. Then due to the nature of the devices our IT staff now has to find an extra 20% of their time to support the devices and in many instances teach the users HOW TO EVEN USE THEM! Someone please do a cost analysis of these devices in the workplace, include in said analysis, the job function of the user, the time, expense and actual business use of said device. I can almost guarantee the ROI is so poor that if IT had to sell these devices to management as a new solution they would get laughed out of the meeting. I do know that there ARE jobs out there that can be helped by having one of these devices, just wish those were the only place for said technology to be utilized. PS. Your comment about the latest college graduate is so true...where did their sense of entitlement come from. Since when did the bottom of the "totem pole" dictate to the top? Is our society that messed up that we allow untrained, unproven potential employees, partners etc to dictate business function to those with real world experience and application? Thanks Beo

Editor's Picks