 | MOBILE DEVICE SECURITY | | | | | Understanding the potential risks ... | Posted by Andrew Spencer on 18/01/2012 @ 08:30 |
The number of personal mobile devices being used by employees is growing dramatically, whether purchased by the individual or by the company. They are increasingly being used to access corporate email systems and corporate data...
 how secure are your mobile devices in the workplace
This applies both to enterprises and to small to medium businesses. CIO magazine quotes a Forrester report that predicts that £6.5billion will be spent by CIOs in the States on iPads alone in 2012 on top of the £6billion last year. Now that's a lot of iPads! Most business people now carry Smartphones, used to transport their office with them 24/7 wherever they are, even if/when they are not using a tablet or laptop.
But how secure are these devices and what are the potential risks and implications for businesses? Personal devices are enormously flexible and useful, however they are easily lost, stolen etc. How well protected is the business from such loss? A survey by a security company found that over half the respondents did not protect their phones with a password or PIN. Given how many people are carrying corporate data such as email, contacts etc. on their phones, this is disturbing.
The biggest potential risk to the business of a lost personal device such as a phone or tablet is data breaches or data leaks. The following factors should be considered by those responsible for the security of the company's personal devices:
- Device theft/loss increases with portability:
It is easy to leave them in taxis, planes or anywhere you put them down! Loss can easily lead to data compromises if data lives on the device and there is casual access to data such as email. Losing a device that allows casual access to data is almost certainly worse than losing a wallet. Emails on the device can reveal a wealth of information about colleagues, contacts, clients, the company and indeed the person carrying the device - competitive information, salaries, system passwords, names, addresses. The list is endless. Personal data that can potentially be gleaned from the device includes where the person banks, where they live, names of family members ...
- Mobility and portability increase threats to data protection:
As well as preventing casual access through password or PIN protection, the threat of pro-active attacks on the device should be borne in mind. Companies rightly take data protection seriously and mobile devices should be a concern in this context.
- Malware is increasingly targeting mobile devices:
Malware attacks have the ability to get to the heart of the device and bypass local security. Personal devices that allow the user to download any of the over 1 million available apps are a ripe source of infection.
There are legal implications if a mobile device is compromised. Data protection has already been mentioned; compromised mobile device could lead to loss of personal data covered by the Data Protection Act and that could land the company in trouble with the Information Commissioner.
In addition, employee misdeeds could land the company in trouble. They will use their personal devices to do things not related to work such as storing personal data, accessing third party content, media and applications, downloading content etc. It is not uncommon that data held on a personal device has questionable copyright. If this data can reach the corporate network or co-exists with corporate data there may be legal implications for the company.
So what do companies do about these threats to their business? How many have IT security policies that cover personal mobile devices, whether they are privately owned or corporately owned? How many support personal devices, again irrespective of ownership?
Two recent research projects report that in one case, 21% of companies have no policy or support for personal mobile devices used by their employees and the second (a Forrester report published in 2011) revealed that 28% have no support, 31% in Europe.
This report provides further illuminating information. In Europe, 11% of respondents provide IT support for all devices - a low figure given that if you do not fully support devices you cannot control them. 13% support certain types/models, 16% limited support to all devices, 10% limited support to certain devices.
Quite a high proportion of companies prohibit the use of personal devices accessing the corporate environment - 14% in Europe. 4% have absolutely no official policy at all and of course provide no support.
The concern here is that anything other than complete support for personal devices that are to be used in conjunction with the corporate network or environment risks, to a greater or lesser extent, compromise and damage to the company. However formulating and applying a workable practical policy is very difficult - I'll talk about this in some depth next time.
In the meantime, if you'd like more information on mobile device security in the workplace, please call me on +44 (0) 1908 565460.
Until next time ... 
ANDREW SPENCER
|
 | During Andrews extensive business career he has worked in a wide cross section of companies, specialising in the creation of contact centres and business systems, software development, telecommunications and project management. Andrews key skills are:
Business planning and strategy
Matching technology to business needs
Project management
Software development and implementation
Designing and implementing business systems
His work has included sourcing and implementing a new integrated telecoms system for National Energy Services, designing and project managing a new IT and telephony structure for the Greyhound Racing Association, and directing technology development for Wembley plc.
|
|
|
