Without enforcement, a mobile device security policy alone falls short

Experts say an enterprise mobile device security policy alone will fall short without the technology to enforce it.

Personal technology is often a step or two ahead of strong security checks put in place by enterprises. This is particularly true with mobile devices, of which new devices are emerging almost as quickly as security vulnerabilities exploiting them.“In the current BYOD [bring your own device] era, the single biggest challenge that enterprises face is protecting critical corporate data on handheld devices,” said Jack E. Gold, principal analyst at J. Gold Associates, an IT consulting firm in Northborough, Mass.

During lunchtime, a common example scenario is for an enterprise employee to travel to the local store, examine half a dozen tablets, select one, return to work, and start using the device to access corporate data. These steps are often taken without the IT department’s knowledge or blessing.

Yet, many corporations' decision makers think that because their respective companies' mobile device security policy does not condone such practices, white-collar workers do not store company data on personal devices.

“Whenever audits are conducted, businesses are surprised at how many employees use personal handheld devices for work related activities,” noted Phillip Redman, research vice president at Stamford, Conn.-based research firm Gartner Inc.

Gartner forecasts that by 2014, 80% of mobile professionals will use at least two personal devices to access corporate systems and data, many preferring their own smartphones and tablets to those devices provided by the company.

As a result, businesses find themselves in a precarious position. Once staff members turn on their smartphones or tablets, they start using the device like a PC. They access business applications, store company data on thumb drives, and copy and paste information from corporate databases -- and they do so in a cavalier fashion.

“Employees usually are not very concerned about securing company data," Gold said. "Instead, they complain when the corporation puts safeguards in place that interfere with how they work.”

This attitude can cause several problems. Consumer handheld devices often do not have any security software. Consequently, there is no barrier preventing employees from connecting to any number of virus-laden websites, downloading malware, and spreading it to other systems on the enterprise network. Also, the constant flood of mobile device flaws enable malicious hackers to often easily gain access to a user's handheld through a variety of methods and obtain sensitive or proprietary information on the device itself or even elsewhere on the corporate network, such as company billing data, Social Security numbers, customer credit card numbers, or pricing information.

Because these devices are so portable, workers carry them everywhere, and sometimes they lose them. If the user has ignored the organization's mobile device security policy and there is no technology layer, such as encryption software, to back it up, all a crook has to do is turn the device on, sift through the confidential information, and have himself a party.

In response, enterprises have been on the lookout for products in the areas of mobile device management, user authentication and secure gateways to help monitor handheld devices lower their potential exposure. A number of vendors, including 3LM Inc., BoxTone, Enterproid, Inc., Good Technologies Inc., Numara Software Inc., Research in Motion Ltd., Sybase Inc., Tangoe Inc., VMware Inc., and Zenprise Inc., all offer products that help enterprises manage these new consumer/business devices.

These suppliers have taken a few approaches in dividing personal and business information on handheld devices. Some products segregate personal and corporate data by creating a buffered “data lock box” with a different user interface on the handheld device. In other cases, they sequester the company data but offer users a consistent interface between their personal and corporate information.

The management systems help companies enforce mobile policies. For instance, they can block users from copying and pasting information from a database into a personal mail system, like Google Inc.’s Gmail.

While beneficial, the products are more a stopgap to plug holes in today's enterprise mobile device security policy enforcement capabilities as opposed to a long-term fix.

“To be effective, security functions have to be built into mobile operating systems,” noted Gold. Currently, only the Research in Motion BlackBerry platform has such capabilities. Google has begun pushing its Android platform in that direction, but Apple and Microsoft have put other enhancements higher on their priority lists.

As a result, the experts say, enterprises need to recognize that a mobile device security policy alone is not a viable option, and put security checks in place to enforce that policy, or else employees will continue to carry sensitive data out the front door at the end of the workday.

About the author:
Paul Korzeniowski is a freelance writer specializing in technology issues. He is based in Sudbury, Mass., and can be reached at paulkorzen@aol.com.

Dig deeper on Handheld and Mobile Device Security Best Practices

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close