With the workforce becoming more mobile, a proliferation of sensitive data is resting on thumb drives, laptops, PDAs, iPads and other personal devices. Choice is the new paradigm. And we’re using connected mobile devices more and more for a blend of personal and business tasks. This ‘consumerisation of IT’, enables a tremendous increase in productivity.
However, smart device technology being brought into corporate infrastructures is now outpacing many organisations’ ability to secure and manage new mobile devices and the information they access.
When asked to identify the most significant threats facing organisations, participants in Symantec’s New Zealand 2011 State of Security Study cited the introduction of personal devices into the workplace as creating new difficulties (43%); while 39% were worried the rise of mobile computing would increase risk. Relatively few organisations are prepared for today’s device security problems and those that lie ahead.
To learn more about mobile users’ experiences and perspectives on the consumerisation of IT Symantec recently conducted a short survey involving participants from around the world, including Asia Pacific.
Respondents realise the productivity and satisfaction benefits of allowing employees to use smartphones of their choice for work, but don’t fully comprehend the extent of the security challenges this creates. Most think allowing employees to use smartphones of their choice either has no impact on, or only somewhat decreases, the overall security of their company’s networks and information. This indicates organisations might not be educating employees on potential security risks these devices create and how best to protect them.
Mobile device security policies and/or best practices that are being communicated primarily deal with the loss or theft of devices, with malicious apps still taking a backseat. Of those respondents who had been briefed by their employer on smartphone security policies and/or best practices, the need to password protect mobile devices was the most commonly communicated (88%), while the least were guidelines around downloading apps for smartphones (42%). Given the majority of malicious malware for smartphones, as observed by Symantec, involves legitimate apps that have been trojanised and re-published on third-party app hosting sites, organisations need to do better at communicating policies and best practices for downloading apps.
Despite nearly half of respondents saying they are not aware of any mobile device security and/or management software or tools their company uses in relation to their devices, nearly three-fourths said they access information that could be considered sensitive or confidential with their devices.
What’s happening overseas?
Financial services firms operating in the United States have been early adopters of security technologies for several reasons. They operate in a highly regulated environment, answering to a number of requirements including the Gramm-Leach-Bliley Act (GLBA), the Payment Card Industry Data Security Standard (PCI DSS) and more than 40 different state laws dictating data privacy standards.
Donna Durkin, information security officer for Computershare, North America, a global services and technology provider for the securities industry that serves 14,000 corporations and 100 million shareholder and employee accounts, indicates several factors lead her company to adopt data loss prevention technology ? including negative media exposure its competitors received in the wake of data breaches; regulatory requirements and the need to demonstrate rigorous data protection standards to Computershare’s clients. Financial institutions are also keenly aware their customers are protective of personal data and prone to change providers if they don’t feel properly protected.
However these lessons aren’t just relevant to the finance sector ? this evolution of communication spans industries. "We actually see this at IDC,” says Brian Burke, program director for security products at analyst firm IDC. "New employees don’t use email; that’s not how they communicate. They chat, they use IM, they use social networking sites, they use the web. And they’re bringing those tendencies to the workplace.”
And research shows most data loss is inadvertent, not malicious; IDC estimates 80% of such incidents are accidental.1 In fact, ‘employees inadvertently exposing confidential information’, is now seen as the number one threat to enterprise security among all companies IDC surveys.2
Top mobile security and management best practices
So, how can your customers keep both mobile devices and the data accessible through them safe? The following mobile security and management best practices provide sound guidance for individuals and organisations alike.
The consumerisation of IT will become increasingly important as we look for more effective ways to secure and manage connections without impacting employees’ productivity or confidence. A willingness to embrace new changes in the workforce and the right technology solutions can play an important role in helping us stay ahead of this trend.
1 IDC indicates that this data point is widely accepted as an industry norm.
2 Brian E. Burke, "Information Protection and Control Survey: Data Loss Prevention and Encryption Trends,” IDC, May 2008.