Mobile Device Security III: Employee-Owned Device Risks
Employees are excited to bring their device to work and synch to the network. Syncing means they can work remotely; checking corporate e-mail, documents, and contact lists from their PDA or smartphone while at home, at a customer site, or in their car.
Do you see a pattern here? The information is corporate, the device is personal, and the security is non-existent.
Corporate Security vs. Mobile Devices
How should a company handle the issue of security versus the popularity of PDAs and smartphones tools? Although these tools have the potential to help staff and increase productivity, they leave organizations unprotected from possible interruptions, data theft, and regulatory compliance headaches.
The reality is that devices have made their way through the enterprise and are becoming more capable and useful. As a result, employees are looking to them as business helpers and, in some cases, notebook replacements. Some even argue that personal devices used for corporate network access can actually lower costs for the organization; particularly if the employees are purchasing the devices, software and accessories with their own money.
Unfortunately, this perspective ignores the support costs and risk costs associated with unsecured devices in an otherwise secure network environment.
According to a survey conducted by Bluefire Security Technologies in late 2005, 74.6 percent of respondents currently use a mobile device for personal or business communications, while 90 percent of the total respondents state that corporate and network access should require security.
Employers have attempted either to ban employee-owned devices or simply ignore them as a trivial problem, a tactic which as been met with resistance and usually failure. Those that have ignored these devices are merely postponing the headache until a later day; possibly after a server crash, database corruption, or security breach.
Gartner predicted in its report last fall, Findings From the 'Consumer and Internet' Research Meeting: Putting 'Personal' Back Into the Enterprise Use of PCs, that the "consumerization of IT," flexibility and economics will drive more enterprises to encourage (through incentive and stipends) employee ownership of personal computing devices. If this is the case, there are challenges that the enterprises will face. These challenges include:
While most respondents to Bluefire's survey stated that corporate and network access security is a must, 62.3 percent said that their organization allows personal devices to be used within the corporate network.
So how can we reconcile the productivity gains of using mobile devices with the risks? There are three solutions (EEE) to the PDA/smartphone service vs. security dilemma:
Eliminating personal devices in the workplace will realistically never happen: Perhaps for government employees who must walk through metal detectors every time they enter the workplace. Otherwise, employees will find ways to bring their devices to work and will sync to the network until they are reprimanded (and may even continue to do so anyway).
Establish & Enforce Security Policies
At its root, this means establishing a policy that allows for the approved use of devices. The word 'use' can have many meanings, however.
Some enterprises may choose to define use as storing and using information on the device. This sounds simple enough, but it obviously has security risks if the device is lost or stolen.
Another definition for 'use' is as wirelessly attaching to the Internet or the corporate network, typically for synchronizing calendar, contacts, and e-mail. In other cases, customers have defined use along very specific lines, like use of a specific application (e.g., CRM) and access to specific databases on corporate servers.
In any case, the policy should cover the type of information residing on the device, the software that should be placed on the device, and what network resources can be accessed.
With many policies, the definition of use is only the first part. The second is the requirement for allowing approved uses. Typical models include registering users who want access to the network or the Internet and perhaps requiring the use of basic security software, like anti-virus, VPN (virtual private network), and firewall software for mobile devices.
Corporate Purchased Devices
The final possibility is for the organization to buy the devices for employees or provide an approved list of devices for employees to purchase. If the organization purchases and provides the devices to employees, it has greater control over what software or information is being placed on the device and what is being protected.
Although each company and industry is different, Bluefire's experience is that in the near term and certainly in the long term, the additional cost is worth the trade-off against security risks, unintended support calls and costs, regulatory and other liabilities.
While there are a number of point products designed to protect against lost and stolen devices, we strongly recommends a complete mobile security solution. This solution not only protects against lost devices, but also provides defense against wireless attacks, malicious code, spyware, and data theft. When it comes to mobile security, must-haves for the devices include:
Incorporating mobile devices into a corporate infrastructure is highly beneficial. Employees can work remotely all the while staying up-to-speed with contacts, co-workers, and e-mails. Just make sure that if the devices are employee-owned, they are also properly secured.