A growing number of workers are using mobile devices, such as PDAs, smartphones and wireless laptops, to access corporate resources, capture data and take transactions to the customer. Although expediting business, this trend also raises a host of new security concerns. From viruses that target cellphones to hackers who tap into wireless networks to lost or stolen laptops, mobility increasingly puts your information assets at risk.
As soon as you associate value with a technology or a way of conducting business, you begin to see threats against it, and there are greater risks involved. That is what we are seeing with mobility.
Johan Smit, solutions architect, Unisys Africa
Mobility certainly creates value. Mobile devices are cheap to acquire and easy to use. They offer wide access to information and applications while increasing efficiency, improving customer service and enabling new business processes.
That is why organisations are deploying more and more mobile devices. From handhelds that support warehouse staff, tablet PCs that empower sales reps, to cellphones that can make a reservation in a restaurant and display the menu. Today, laptops are standard-issue, and employees of all stripes are acquiring and using their own PDAs and smartphones.
By the end of 2006, more than half of all business laptops were able to connect to wireless local area networks (WLANs), according to Gartner analysts. And while WLANs still carry a higher per-user total cost of ownership, their productivity benefits can make the investment worthwhile, and in new installations, they can even save money.
Technologies such as wireless communications and application virtualisation in conjunction with increased availability of quality bandwidth allows for true mobility. The key to service anywhere is device independence. Being able to deliver business functionality and information to the user no matter what device they are using or where they are using it. Breaking the link between the user and the device means that a mobile workforce becomes a reality.
The main attributes a service anywhere environment offers are:
* Always on-line, always secure.
* Functionality is consistent regardless of device or location.
* Applications are virtualised, centrally hosted and only used as and when required.
* Users can access any of their authorised applications from any device corporate or non-corporate.
* Soft IP phone as part of user profile.
This brings new challenges.
Security threats gathering
As personal information management (PIM) devices, wireless applications and other mobile technologies gain ubiquity, the security threats redouble.
Mobile devices are often left unattended and are easily lost. User authentication may be weak or easily foiled. Wireless transmissions can be intercepted. Viruses that target mobile devices are on the rise. And as mobile devices increasingly interconnect with one another and with corporate networks, the risks multiply.
Smartphones in particular, as they gain the ability to download and run software, are becoming vulnerable to viruses.
The issue is at least partly acknowledged by businesses, in that most of them budget for at least a 20% loss of failure rate for PDAs, according to Forrester Research. META paints an even grimmer picture, estimating that only 10% of organisations have a formal and comprehensive mobile security policy. Mobile devices exist outside the security perimeter, and that makes them more difficult to protect, yet at the same time, they are connecting to more corporate information and applications, increasing the risk.
Start with security policies
A number of security technologies and techniques can help protect mobile devices. It is important to authenticate users as they access the network to only what they need, and encrypt the data to protect it as it moves across the network.
The mobile device itself should also be password-protected, with lock-out after a certain number of failed access attempts. ‘Remote device kill’ can automatically lock out a lost or stolen device the next time it attempts to access the network. Also, be sure you are using common protections, such as anti-virus software and client firewalls.
Protect the information
With a growing number of devices, constantly changing mobile technologies and standards, and a rapidly evolving galaxy of threats, mobile security starts not with technology or tactics, but with policy. Develop a security policy first, and then determine what security technology will support it. For example, the policy should state what data is allowed to be accessed or stored on a mobile device, and then specify which techniques will protect that data.
Standards governing mobile security should be part of the overall security policy and plan. This action needs to be part of the organisation’s master IT architecture plan and strategy, where technology aligns with critical business processes.
Information protection starts with classification. A classification scheme might categorise information as follows:
* Public – information you make externally available.
* Private – confidential data such as business plans, product designs and intellectual property.
* Secret – highly sensitive, mission-critical information, such as organisational and financial data.
* Customer records – personal and account information that may be governed by privacy laws.
You can then apply protection mechanisms across the enterprise based on data classification, regardless of the device the data resides on. Even as devices change, and even if the device is personally owned by the employee, you can limit the types of data that can be accessed and stored on it.
Take control of the situation
Of course, it still pays to get a handle on what mobile devices are being used in your organisation. A business cannot understand its vulnerabilities if it does not know which devices various departments have issued and which devices employees are using on their own.
Consider establishing corporate standards. For example, many organisations provide executives with BlackBerries. If your business cannot do that for all workers, you could implement a purchase programme to allow employees to acquire them at their own cost. Employees benefit from a discounted price, plus company provisioning and management. The organisation benefits from a standard device that is easier to manage and protect.
Then, make sure employees understand the risks associated with mobile computing, which requires ongoing education. Thus a good communication relationship with employees is essential. Employees need to know what is at stake. They have to know that if they put customer information or company-sensitive information on their wireless device, then they are responsible for its security. And if that security is breached, then it is a disciplinary offence.
The business of mobile security
Ultimately, mobile security, like any information security, is a business issue. This is not an ad-hoc decision for the CEO or CIO. It is a business decision that applies to the whole organisation. As such, you need objective data points to tell you what to do.
That means establishing why you have a business need for mobility in the first place. Document the anticipated benefits, and determine whether those advantages apply to the entire company or only to specific functions or users. Factor in the external threats and your internal vulnerabilities to ascertain your level of risk. Then determine how you will manage that risk.
You will never be able to apply the same level of security to all information and all devices. But if you understand the business risks associated with mobility, then you can invest appropriately in protecting your information assets – whether those assets are on your servers, on mobile devices or traversing the space in between.