Enterprise mobility is driven by the need for seamless access to information anytime, anywhere, and from any device. One of the biggest drivers for enterprise mobility is the need for seamless access to information anytime, anywhere, and on any device. Employees have grown accustomed to having ubiquitous information access in their personal lives, and expect the same in their professional lives. In the past, employees would try to compartmentalize their personal and work lives, in order to protect their personal time from job encroachment. But now the opposite is true. Many employees move seamlessly between work and personal lives, and expect that their employers will support this new work paradigm.
Some enterprises struggle to create a business case that quantifies productivity gains and calculates a return on investment for mobility technology. However, this is very difficult to do and most enterprises simply accept the idea that mobility results in productivity improvement. For many employees, a mobile work environment is now an expectation, analogous to the expectation that their employer will provide a local area network and Internet access. Therefore, many enterprises often deploy mobility technology without any upfront justification or global planning.
Data leakage
The most profound risk to enterprise mobility is data leakage on mobile devices. Once a user transfers sensitive data to a handheld device, that data can be compromised if the handheld is lost or stolen, or the data is transferred to another device. This concern is exacerbated by the fact that the design of most mobile devices is being driven by the needs of consumers, rather than businesses, and therefore is often not suitable for the enterprise. Lastly, the mobile device has become the new network perimeter so enterprises can no longer simply rely upon firewalls in order to lock down their sensitive information.
Some organizations have a policy that requires users to encrypt sensitive data on a laptop hard drive. However, few organizations encrypt sensitive data stored on handheld devices such as the BlackBerry. This means that sensitive data on a handheld is oftentimes more vulnerable to theft. In the event of a lost or stolen handheld device, many enterprises will remotely “wipe” the device, thereby removing sensitive information. Some vendors, such as Research In Motion (RIM), enable the IT manager to remotely disable the device and restore it to factory defaults. Some enterprises have invested in technology to find lost or stolen laptops, such as Computrace’s LoJack for Laptops product.
Many organizations encrypt sensitive information that is transmitted between the handheld device and enterprise servers by using virtual private network (VPN) technology. This “in transit” encryption is typically performed while users communicate on the road or at home. A few organizations even enforce the use of VPNs while users communicate over the office wireless LAN (WLAN).
Although many organizations enforce the use of two-factor authentication on laptops, handheld authentication policies lag behind laptop authentication policies. For example, many organizations require a simple four-digit personal identification number (PIN), or no password at all. If a handheld device does not have a password, and it is lost or stolen, then any sensitive data stored on that device is easily accessible. The small size of handheld devices makes it easy for them to fall out of a pocket or purse, and thus become a security risk.
Conclusion
Data leakage on mobile devices is a major risk for virtually every enterprise. Unfortunately, handheld security policies often lag behind similar laptop security policies. This can result in security breaches and increased legal liability. Enterprises must carefully evaluate their risk tolerance, and then must secure sensitive information before users are granted mobile device access privileges.
Dexterra agrees with you Paul; data leakage on mobile devices presents a profound risk to enterprise mobility. Couple this risk with the threat of malware and hackers on mobile devices and its clear to people in the mobility industry why mobile security is a critical issue for enterprise IT departments. Increasingly IT departments are supporting mobile devices across their organizations because they are proven to improve productivity. Yet at the same time, IT managers who have the professional paranoia required to guide them in locking down their IP networks seem to have shrugged at the need for mobile security.
Interestingly, about a month ago Dexterra briefed a well-known security analyst (no, not from Burton Group) who described as “overkill” the two factor authentication security precautions we created for mobile devices in the enterprise. His rationale was that despite all the hype about mobile security, there just haven’t been that many attacks. I’m curious as to when he thinks it becomes okay to be concerned about vulnerabilities on mobile devices such as smartphones. Just imagine the conversation as a CIO of a bank or securities brokerage explains to the CEO on the day the company is hit by the first big mobile malware attack that he didn’t deploy a mobile security solution because up to that point there didn’t seem to be enough malware attacks to justify the expense.
Security has long been the oxygen issue in enterprise IT systems; if it isn’t secure then it isn’t ready for the enterprise. No IT manager thinks it’s okay risk harm to data or devices simply because there has only been a few malware attacks, or the attacks up to now haven’t been that malicious. There are mobile security precautions that can be taken, and enterprises must use them and stay on guard. We may not know the form of the first malware attack to truly harm the enterprise, but we can be reasonably sure someone, somewhere is working on it right now.
Benjamin Wesson, Dexterra
Thanks Benjamin. Virtually every IT/Security Architect that I talk to is concerned about data leakage. Unfortunately, I think it is going to take a highly publicized event like the TJX fiasco for mobile device security to improve in most enterprises.
Paul, I read your great article from Paul deBeasi where you hit spot on the drivers and risks of mobility. My opinion is that Mobile users can use mobile devices safely, check out two of my latest postings which cover some of the subjects you have exposed… Securing and Delivering Business Data on the iPhone (http://blogs.sybase.com/ithain/wp-trackback.php?p=561) and Providing comprehensive Security & Managemant capabilities (http://blogs.sybase.com/ithain/wp-trackback.php?p=562)
Many thanks
Ian
Hi Paul – You are so right – the data on mobile devices are incredibly vulnerable. You should check out Computrace Mobile – LoJack for Laptops will help consumers with data on their laptops, but businesses can really benefit from the gps location/mapping capabilites that comes with Computrace Mobile. Thanks!