Securing the mobile enterprise
No room for complacency
Now that corporate governance is the topic of the moment, everyone is much more aware of the importance of maintaining the integrity of important business data, writes Bloor Research analyst Fran Howarth. Not only are company executives personally facing severe sanctions if the business data that they publish is erroneous, but theft of this data can also cost businesses dearly.
Many companies are taking steps to beef up the security of their core business infrastructure and are expanding their auditing activities to ensure that business information is held, exchanged and disposed of securely. However, enterprises are increasingly relying on mobile devices - and this is an area where companies are still paying scant regard to security.
The use of mobile devices is expanding rapidly in business and they are now considered essential business tools - for everyone from top executives to sales and maintenance workers in the field. Yet such devices are at high risk of loss, theft and unauthorised access and use. They contain data and user credentials that may be business critical, and which can be used to penetrate an organisation's network.
A recent survey by security vendor PointSec of business users of mobile devices indicated that most users store their PIN numbers and passwords directly on the device, and most also use them to connect to the corporate network. However, in the same survey, 40 per cent of respondents admitted to having lost a mobile phone, and 25 per cent to losing a laptop computer. PointSec also quotes a survey by Network World in which 91 per cent of corporate respondents cite security as the number one concern with mobile devices.
When companies put in place policies and technologies for mobile security, they must ensure that the schemes that they develop are enforceable and used by all - the security of an enterprise is only as good as its weakest spot. For example, employees might be required to always use anti-virus technology.
Companies should train their users in the need for security and should make them read security policies set by the company - and sign that they have read and understood these policies. The policy should also set out minimum standards required by employees - not only should they have anti-virus software always running, but it should be made compulsory for them to ensure that they have installed the latest updates to such software.
Security policies for mobile devices should include the need for strong authentication of users - if users are going to store their passwords or PIN numbers on a mobile device, then password protection by itself is not enough. Companies should think about demanding the use of secondary authentication, perhaps a smart card or a SecureID.
Vendor PointSec has come up with an interesting solution to the problem of passwords on mobile devices - it has developed a system whereby users click on a series of pictures in a certain order, which users are finding must easier to remember than passwords. It can also prevent the problem of people gaining passwords by looking over someone's shoulder, since the icons will appear on different parts of the screen each time.
With the technology that PointSec has available for mobile devices, it is making mobile security provable. Security is not left to user discretion - all data is encrypted automatically, regardless of location, and all security events are fully logged. For added security, the duties of system administrators and security personnel are separated - bearing in mind that the greatest security threats to organisations come from inside their walls.
For users, not only is encryption automatic and transparent, but there is no need for intervention by IT resources or even for them to be trained in the use of the technology. PointSec's solutions are also managed and enforced centrally, making it impossible for anyone to access data without the correct authentication.
With the threat of attacks, such as worms and hacks, growing exponentially, security is becoming an even more pressing issue for businesses than ever before. Companies need to realise the importance of the mobile networks and apply the same rigorous security standards to these devices as to their core infrastructure systems. Businesses can no longer afford to be complacent.