A recent survey of consumers revealed an unsettling trend: The use of smart phones to access sensitive corporate information away from the office, creating huge security gaps for enterprises.
In a survey of 200 consumers conducted by market research firm Decipher Inc. and sponsored by endpoint security supplier GuardianEdge Technologies Inc., 70% said they access what they consider sensitive data on their smartphone in order to do work outside the office. Eighty-nine percent of the respondents said they can access email and other corporate information using their personal or corporate issued smartphone when not in the workplace.
Smartphone users appear to be aware of the risks involved in accessing corporate data from devices like BlackBerrys. Eighty-two percent said they were open to their company deploying security technology on either their personal or company supplied smartphone. Another 75% said they'd feel more comfortable traveling for work if their smartphone was protected with encryption.
Sheryl Harkleroad, CISSP and information technology manager at a Bay Area-based insurance brokerage, said she found it interesting and encouraging that the survey showed consumers are aware of the security implications of having corporate data on a smartphone. "If users are aware of the risks to begin with, you are ahead of the game," she said. "Many risks can be addressed with technology, but the human factor is usually the wild card. Awareness and education are paramount to strengthening the overall security posture of an organization."
Security Wire Weekly: iPhone Mania and Enterprise Security:
Tom Cross, mobile security expert with IBM's X-Force security researchteam discusses smartphone security on the heels of Apple's release of iPhone 3G. As more end users bring their smartphones into the workplace, companies need sound mobile security policies and technologies in place for data protection. Cross gives some tips for controlling smartphone use in the enterprise.
In addition, 52% of consumers surveyed believe companies should allow employees to store and access company information on personal smartphones if corporate issued devices aren't provided.
Harkleroad said her firm doesn't provide access to corporate data on non-corporate owned devices, and employees who are issued smartphones are provided with specific policy training on acceptable use of the device.
The company isn't currently using encryption technology on its BlackBerry devices, but is utilizing BlackBerry Enterprise Server, which provides centralized control of devices, including forced password protection and the ability to remotely wipe a device if it's stolen or lost. Harkleroad plans to evaluate encryption technology for smartphones in the next 12 months to follow up the full-disk encryption the company deployed on its notebooks.
The University of Louisville in Kentucky is also taking steps to reduce the risks associated with smartphones. The university is in the process of deploying GuardianEdge Smartphone Protection to its faculty members and staff. The deployment will eventually reach 2,500 devices.
"More and more of our workforce is becoming mobile and the majority is using smart phones," said Brenda Gombosky, director of enterprise security at the University of Louisville. "They're using them not just for email, but to store important records and files. That leads to concern about potential data loss, but you also lose control from a centralized technology standpoint."
A large health science community at the university deals with data that could potentially fall under HIPAA requirements while faculty members have student information that must be kept secure.
The University of Louisville had already worked with GuardianEdge Technologies Inc. to deploy its full-disk encryption to laptops and desktops, and saw the company's smart phone protection as a natural choice, Gombosky said. The product provides centralized control linked to Microsoft Active Directory for Windows Mobile, Palm OS and Pocket PC-based devices. The university counts many Palm Treo users.
The university takes a layered approach to security, Gombosky said, adding, "This is another tool we can add to our tool box."
In Information Security magazine's Priorities 2008 survey, 69% of 619 respondents ranked protecting mobile devices like BlackBerrys and PDAs as important or very important.
In a recent interview with SearchSecurity.com, Tom Cross, X-Force researcher at IBM, offered advice for businesses dealing with the proliferation of mobile devices like BlackBerrys and Apple iPhones. He recommended that companies set up a process employees can follow if they lose a device, including a point of contact to get the device wiped remotely.
Cross also suggested deploying firewalls and intrusion detection systems (IDS) at VPN endpoints. The firewall should limit the Internet sites a smartphone can access, while the IDS can inspect traffic coming from the device to detect attacks.