BYOD: A new security paradigm
With the workforce becoming more mobile, a proliferation of sensitive data is resting on thumb drives, laptops, PDAs, iPads and other personal devices. Choice is the new paradigm. And we’re using connected mobile devices more and more for a blend of personal and business tasks. This ‘consumerisation of IT’, enables a tremendous increase in productivity. However, smart device technology being brought into corporate infrastructures is now outpacing many organisations’ ability to secure and manage new mobile devices and the information they access. When asked to identify the most significant threats facing organisations, participants in Symantec’s New Zealand 2011 State of Security Study cited the introduction of personal devices into the workplace as creating new difficulties (43%); while 39% were worried the rise of mobile computing would increase risk. Relatively few organisations are prepared for today’s device security problems and those that lie ahead. To learn more about mobile users’ experiences and perspectives on the consumerisation of IT Symantec recently conducted a short survey involving participants from around the world, including Asia Pacific. key findings Respondents realise the productivity and satisfaction benefits of allowing employees to use smartphones of their choice for work, but don’t fully comprehend the extent of the security challenges this creates. Most think allowing employees to use smartphones of their choice either has no impact on, or only somewhat decreases, the overall security of their company’s networks and information. This indicates organisations might not be educating employees on potential security risks these devices create and how best to protect them. Mobile device security policies and/or best practices that are being communicated primarily deal with the loss or theft of devices, with malicious apps still taking a backseat. Of those respondents who had been briefed by their employer on smartphone security policies and/or best practices, the need to password protect mobile devices was the most commonly communicated (88%), while the least were guidelines around downloading apps for smartphones (42%). Given the majority of malicious malware for smartphones, as observed by Symantec, involves legitimate apps that have been trojanised and re-published on third-party app hosting sites, organisations need to do better at communicating policies and best practices for downloading apps. Despite nearly half of respondents saying they are not aware of any mobile device security and/or management software or tools their company uses in relation to their devices, nearly three-fourths said they access information that could be considered sensitive or confidential with their devices.
- 73% of the potentially sensitive or confidential information accessed by respondents is competitive or proprietary data.
- 67% is personally identifiable information.
What’s happening overseas? Financial services firms operating in the United States have been early adopters of security technologies for several reasons. They operate in a highly regulated environment, answering to a number of requirements including the Gramm-Leach-Bliley Act (GLBA), the Payment Card Industry Data Security Standard (PCI DSS) and more than 40 different state laws dictating data privacy standards. Donna Durkin, information security officer for Computershare, North America, a global services and technology provider for the securities industry that serves 14,000 corporations and 100 million shareholder and employee accounts, indicates several factors lead her company to adopt data loss prevention technology ? including negative media exposure its competitors received in the wake of data breaches; regulatory requirements and the need to demonstrate rigorous data protection standards to Computershare’s clients. Financial institutions are also keenly aware their customers are protective of personal data and prone to change providers if they don’t feel properly protected. However these lessons aren’t just relevant to the finance sector ? this evolution of communication spans industries. "We actually see this at IDC,” says Brian Burke, program director for security products at analyst firm IDC. "New employees don’t use email; that’s not how they communicate. They chat, they use IM, they use social networking sites, they use the web. And they’re bringing those tendencies to the workplace.” And research shows most data loss is inadvertent, not malicious; IDC estimates 80% of such incidents are accidental.1 In fact, ‘employees inadvertently exposing confidential information’, is now seen as the number one threat to enterprise security among all companies IDC surveys.2 Top mobile security and management best practices So, how can your customers keep both mobile devices and the data accessible through them safe? The following mobile security and management best practices provide sound guidance for individuals and organisations alike.
- Encrypt data on mobile devices – proper encryption technology loaded on devices prevents thieves from accessing sensitive data.
- Use security software on smartphones – security software designed for smartphones can stop hackers and prevent cybercriminals from stealing information or spying on mobile users on public networks. It can also eliminate annoying text and multimedia spam messages. Further, it can detect and remove viruses and other mobile threats before they cause problems.
- Develop and enforce strong security policies for using mobile devices. It’s also important to enforce password management and application download policies for managers and employees.
- Keep all software on devices up-to-date, especially security software. This will protect the device from new variants of malware and viruses that threaten a company’s critical information. Implementing mobile management technology can also ease this process.
- Processes to deactivate the device and protect its information from intrusion should all be in place. These processes can also be automated by products, allowing small businesses to breathe easier after such incidents.
- Avoid opening unsolicited text messages from unknown senders – attackers can use texts to spread malware, phishing scams and other threats among mobile device users.
- Click with caution – social networking needs to be conducted with care. Mobile device users shouldn’t open unidentified links, chat with unknown people or visit unfamiliar sites. All the same best practices applied to social networking on PCs should be applied to network connected mobile devices.
- Focus on protecting information rather than solely focusing on the mobile devices themselves – IT departments should take a step back and look at where the organisation’s information is stored and protect those areas accordingly.
- A well managed device is a secure device. Organisations should consider implementing mobile management software to ensure all devices connecting to their networks are policy compliant and free of malware.
The consumerisation of IT will become increasingly important as we look for more effective ways to secure and manage connections without impacting employees’ productivity or confidence. A willingness to embrace new changes in the workforce and the right technology solutions can play an important role in helping us stay ahead of this trend. 1 IDC indicates that this data point is widely accepted as an industry norm. 2 Brian E. Burke, "Information Protection and Control Survey: Data Loss Prevention and Encryption Trends,” IDC, May 2008.