Making Security CountBy Samuel Greengard | Posted 2009-10-26 Email Print
There’s no sense bemoaning the proliferation of mobile devices in the enterprise. That ‘genie’ escaped years ago. Now it’s up to IT executives to manage the myriad mobile devices used by employees, develop coherent usage policies and deploy security to protect corporate assets.
Making Security Count
Although mobility offers compelling advantages, it also presents an array of security concerns. For example, it’s estimated that 70 percent or more of enterprise data now resides in some form on mobile devices. Remarkably, approximately three out of four organizations lack comprehensive formalized policies for dealing with mobile devices and data.
As workers try to connect their personal devices to a corporate network and access Microsoft Exchange Servers and other applications, the potential headaches mushroom. Typical corporate asset management and security issues are also magnified by the fact that mobile and wireless devices travel beyond the physical boundaries of the enterprise. Moreover, content streams past the corporate firewall, and smartphones and computers are easily lost or stolen. There’s also the issue of ensuring that devices can no longer be used to access corporate data after an employee leaves the company.
When IDC asked business leaders whether their organizations have deployed mobile device management tools to track handheld devices used by employees, only 53 percent answered yes. Although this figure is a major improvement over 2008, when only a third of companies had management and security systems in place, it still translates into a huge risk. As Ryan puts it, “Mobile management and security are closely linked.”
In fact, Vodaphone UK found that 25 percent of all businesses have experienced security breaches as a result of employees using their laptops and mobile devices outside of work—and essentially ignoring company policies. Moreover, half of all workers weren’t aware that different policies exist for using devices and systems for work versus outside of work. No less unsettling: One-third of the respondents either didn’t know their organization had an IT policy or they had never read it.
Administration and security issues are inextricably linked at Addison Avenue Federal Credit Union, which serves 140,000 members at companies scattered across 10 states and Puerto Rico. It also reaches members around the world through its online channels. Three years ago, the company, based in Palo Alto and Rocklin, Calif., developed a policy framework for meshing business requirements with a mobile strategy.
“We spent a lot of time talking to users, and we put a control group in place to better understand how they use devices,” says Ken Smith, director of customer support and information security. From this, the firm created a policy document for its employees, including the sales force. This led to specific administration and security strategies.
Addison Avenue divides mobile accounts into two tiers: company-liable and employee-liable. The organization owns the devices and phone numbers for the first group. “We pay the bills,” Smith says. The second group, however, required a bit more analysis. “These individuals select and provision their own device,” he says. “They get the bill, and we reimburse them for certain uses. We know that they do need to use the device for business purposes from time to time.”
That meant defining a set of standards and security policies—and ensuring that the employees understood and acknowledged them. Whereas a BlackBerry Enterprise Server provides much of the protection needed for the company-owned BlackBerry devices, Addison Avenue is testing security for other devices, including iPhones and Windows Mobile smartphones. In addition, the company uses device locks for time-outs and has remote management and wipe capabilities on company-issued devices.
IDC’s Ryan says the ability to track and lock devices, encrypt data and use a remote-wipe feature is essential. “Smartphones, netbooks, notebooks and other devices constantly go missing,” he points out. “With the amount of data stored on these devices—and the ability to access enterprise applications and databases—there’s no margin for error.”
Moreover, the right software slides the dial on device management from policy to practice. There’s no possibility of employees forgetting or sidestepping a rule. Finally, organizations can implement blocking features or lock down specific components, such as camera phones, that may pose a security risk.