Mobile Device Security III: Employee-Owned Device Risks

You've seen them in the lunchroom, by the water cooler, and in the conference rooms. They're small, colorful, powerful, and maybe even sexy. And they help us stay connected and up to date all the time. Yes, I'm talking about employee-owned PDAs and smartphones.

Employees are excited to bring their device to work and synch to the network. Syncing means they can work remotely; checking corporate e-mail, documents, and contact lists from their PDA or smartphone while at home, at a customer site, or in their car.

Do you see a pattern here? The information is corporate, the device is personal, and the security is non-existent.

Corporate Security vs. Mobile Devices
How should a company handle the issue of security versus the popularity of PDAs and smartphones tools? Although these tools have the potential to help staff and increase productivity, they leave organizations unprotected from possible interruptions, data theft, and regulatory compliance headaches.

The reality is that devices have made their way through the enterprise and are becoming more capable and useful. As a result, employees are looking to them as business helpers and, in some cases, notebook replacements. Some even argue that personal devices used for corporate network access can actually lower costs for the organization; particularly if the employees are purchasing the devices, software and accessories with their own money.

Unfortunately, this perspective ignores the support costs and risk costs associated with unsecured devices in an otherwise secure network environment.

According to a survey conducted by Bluefire Security Technologies in late 2005, 74.6 percent of respondents currently use a mobile device for personal or business communications, while 90 percent of the total respondents state that corporate and network access should require security.

Employers have attempted either to ban employee-owned devices or simply ignore them as a trivial problem, a tactic which as been met with resistance and usually failure. Those that have ignored these devices are merely postponing the headache until a later day; possibly after a server crash, database corruption, or security breach.

Gartner predicted in its report last fall, Findings From the 'Consumer and Internet' Research Meeting: Putting 'Personal' Back Into the Enterprise Use of PCs, that the "consumerization of IT," flexibility and economics will drive more enterprises to encourage (through incentive and stipends) employee ownership of personal computing devices. If this is the case, there are challenges that the enterprises will face. These challenges include:

  • Enterprise liability for employee-owned devices: When employees can connect their PDAs to the corporate network and the Internet and both personal and company information are stored on the same devices, the device is not managed or protected by the enterprise. Federal regulations, such as Sarbanes-Oxley, require organizations to protect sensitive corporate information at all times and assign liability and penalties to organizations that ignore them.

  • Mobile devices are vulnerable to multiple attacks: As handhelds are becoming more common vehicles for enterprise data delivery, they are also becoming a more popular target; including permanently damaging applications on the device, use of the device for unauthorized access to networks and premium calling numbers, and propagating malware to other PDAs and smartphones without the knowledge of the owner.

  • Supporting unmanaged devices have their own costs in time and money: If securing devices is ignored, unbudgeted support costs, the lack of standardization, and the huge security threat of unmanaged interaction with enterprise data repositories will eventually cause loss of time and money in the organization.

  • Network vulnerability: In addition to the risk to the device and cost of support, the corporate network is vulnerable every time an unsecured device connects. If securing the handheld is ignored, a backdoor to the enterprise is created and can be easily accessed from mobile devices and the Internet, including viruses, spyware, hackers, and data corruption/data theft.

    The Solution
    While most respondents to Bluefire's survey stated that corporate and network access security is a must, 62.3 percent said that their organization allows personal devices to be used within the corporate network.

    So how can we reconcile the productivity gains of using mobile devices with the risks? There are three solutions (EEE) to the PDA/smartphone service vs. security dilemma:

  • Eliminate personal devices in the workplace.
  • Establish and enforce security and use policies that employees with personal devices must follow.
  • Elect to buy the devices on behalf of the enterprise or provide an approved list of devices for employees to purchase through the company and thereby take over some measure of ownership, support, and control.

    Eliminating personal devices in the workplace will realistically never happen: Perhaps for government employees who must walk through metal detectors every time they enter the workplace. Otherwise, employees will find ways to bring their devices to work and will sync to the network until they are reprimanded (and may even continue to do so anyway).

    Establish & Enforce Security Policies
    At its root, this means establishing a policy that allows for the approved use of devices. The word 'use' can have many meanings, however.

    Some enterprises may choose to define use as storing and using information on the device. This sounds simple enough, but it obviously has security risks if the device is lost or stolen.

    Another definition for 'use' is as wirelessly attaching to the Internet or the corporate network, typically for synchronizing calendar, contacts, and e-mail. In other cases, customers have defined use along very specific lines, like use of a specific application (e.g., CRM) and access to specific databases on corporate servers.

    In any case, the policy should cover the type of information residing on the device, the software that should be placed on the device, and what network resources can be accessed.

    With many policies, the definition of use is only the first part. The second is the requirement for allowing approved uses. Typical models include registering users who want access to the network or the Internet and perhaps requiring the use of basic security software, like anti-virus, VPN (virtual private network), and firewall software for mobile devices.

    Corporate Purchased Devices
    The final possibility is for the organization to buy the devices for employees or provide an approved list of devices for employees to purchase. If the organization purchases and provides the devices to employees, it has greater control over what software or information is being placed on the device and what is being protected.

    Although each company and industry is different, Bluefire's experience is that in the near term and certainly in the long term, the additional cost is worth the trade-off against security risks, unintended support calls and costs, regulatory and other liabilities.

    While there are a number of point products designed to protect against lost and stolen devices, we strongly recommends a complete mobile security solution. This solution not only protects against lost devices, but also provides defense against wireless attacks, malicious code, spyware, and data theft. When it comes to mobile security, must-haves for the devices include:

  • Firewall: secures the device from attacks and malicious code .
  • VPN: allows flexible means to ensure secure communications for any wireless data traffic.
  • Authentication: ensures that unauthorized persons are not accessing the device if it is lost or stolen.
  • Data encryption: ensures that information is not stolen, either physically or electronically.
  • Anti-virus: protects the device from viruses and malware.

    Incorporating mobile devices into a corporate infrastructure is highly beneficial. Employees can work remotely all the while staying up-to-speed with contacts, co-workers, and e-mails. Just make sure that if the devices are employee-owned, they are also properly secured.

  • TAGS:

    wireless, policy, e-Mail, handhelds, Sarbanes-Oxley