What kind of security policies do you enforce on mobile devices and smartphones that employees bring into the office? Are unsecured mobile devices opening up a backdoor into your corporate network?
A study conducted by Credant Technologies shows that the use of mobile phones or devices for work-related matters is on the upswing. In a manner, this is surely good news, since what it means is that workers are increasingly being able to maximize their time -- especially since shipments of smartphones have been projected to continue increasing.
Some of the statistics from the survey are as follows:
- 35 percent receive and send business e-mail
- 30 percent use them as a business diary
- 17 percent download corporate information, such as documents and spreadsheets
- 23 percent store customer's information
In all, 600 commuters were interviewed at London railway stations. Interestingly, while 99 percent use their personal phones for some sort of corporate use or other, a quarter of them have actually been asked by their employer not to do so. The reason for that is simple enough -- the possibility of losing one's mobile phones to theft or carelessness could open the way to devastating data leaks.
In addition, unlike laptops where stored information is usually limited to whatever is on the hard disk, mobile devices are increasingly equipped and configured to tap into storage repositories and databases inside the corporate network.The use of unsecured mobile devices
What I thought to be of particular concern here is the fact that 40 percent surveyed in this random sample failed to protect their mobile phones with even a rudimentary password. Extrapolating from this lack of security consciousness, the contents of media cards itself are likely to be similarly unprotected. I would not be surprised if the percentages of users without password or encryption were similar elsewhere.
The glaring problem here is that most mobile phones and many smartphones do not have inherent support for the security controls necessary for an enterprise lock down. Various solutions are available depending on the mobile platform used, with the RIM BlackBerry and Microsoft's Windows Mobile leaving the rest pretty much in the dust at the moment. Of course, a BlackBerry or Windows Mobile smartphone that is not configured -- or improperly configured -- remains unsecure.
To fill the gap for other platforms such as Palm OS and Nokia's S60, a number of third-party applications that provide security controls for them do exist. One such example would be Good Technology's Good for Enterprise application suite. Recently acquired by Vosto, the software suite brings enterprise device management and security -- among other features -- to a number of platforms and has native clients for Windows Mobile, Palm, and Symbian S60 devices. Yet other solutions would be Sybase iAnywhere or DataViz RoadSync. The caution here is that these are not specifically created to implement security, though they do offer some form of limited encryption (iAnywhere) or remote device wipe (RoadSync).
Whatever the approach, a deliberate strategy needs to be put into place to eliminate the presence of unsecured mobile device's ability to access the corporate network.The absence of a mobile usage policy
While computer usage policies are common in organizations by now, the situation is different when it comes to policies pertaining to the usage of mobile devices. As it is, mobile usage policy needs to be in place and followed by the implementation of security controls. This is hardly as easy as it appears to be, since these controls have to span the entire organization hierarchy in order to be effective. In addition, loss remediation procedures need to be drawn up and made known.
Finally, another obvious action would be to educate all staff of the security and legal implications of downloading sensitive information to their own personal and corporate phones. An altogether more draconian approach would be to forbid employees to use their own phones for corporate purpose -- though its effectiveness is questionable unless corporate devices are furnished by the company.
In conclusion, mobility is expanding the corporate network far beyond the boundaries of the enterprise firewall. CIOs and administrators need to give a lot more thought into what needs to be done to address this enlarged network, and they need to get on with it quickly.