Dangers lurking in mobile devices

Smartphones, tablets don’t provide same data protection as laptops
By Nick Galletto, Steve Rampado and Kareen Proudian
|Canadian HR Reporter|Last Updated: 11/08/2011

Finding work-life balance used to mean segregating the two so there was no overlap, ensuring that “work” didn’t seep into “life.” But that definition seems almost quaint today. Smartphones and tablets mean constant connectivity to the workplace — and for a growing proportion of employees, that’s just fine. In fact, many people feel work-life balance is not undermined by 24-7 connectivity, it’s enabled by it. But how can organizations protect networks, data and the devices themselves when the office is everywhere?

IT departments are seeing increased demand for support of personal mobile devices. Not only the younger generations but technology enthusiasts in the most senior ranks want and expect to use the newest portable devices to access corporate information.

In many cases, they’re doing it whether it’s sanctioned or not — 80 per cent of smartphone users access their employer’s network without permission and 59 per cent do so daily, according to a 2010 survey by Juniper Networks.

For many people, it’s not just a question of desire — widely distributed employees need mobility support to do their jobs effectively.

With employees increasingly permitted to use employee-owned as well as employer-provided devices across a range of platforms (such as iOS and Android) to access the corporate network, security concerns have emerged. The problem is this: Although smartphones and tablets may perform the same functions as laptop computers, they don’t provide the same level of data protection. Many devices, operating systems and applications don’t meet corporate policies and standards for sourcing, security and configuration.

Policies haven’t caught up with demand and the gap is widening as organizations are pushed to adopt socially connected applications and mobile support. As a result, corporate and personal information is not being adequately protected from a growing list of threats, including:

Malware: This includes viruses, worms, Trojans and spyware. Several recent instances of commercial spyware were targeted specifically at BlackBerry devices, according to a 2010-2011 report from Juniper, which can pose a great risk to the security of corporate data.

Direct attacks: These exploit the device to gain control over its functions and data or render the device or components unusable via denial-of-service.

Loss and theft:This occurs with alarming frequency. One in 20 of the millions of mobile devices protected by Juniper’s security systems has been lost or stolen.

Data communication interception: This is also known as “sniffing” data as it is transmitted and received via Wi-Fi networks.

Exploitation and misconduct: This occurs when the device and network are exposed through inappropriate or illegal personal use (such as downloading uncertified applications or jailbroken devices that compromise or circumvent the security controls of operating systems).

Good mobility management required to address threats

To address these and other threats, good mobility management should be part of an effective enterprise security management program. Not only will this protect sensitive data from malicious attacks and human error, it will help organizations comply with changes to Canadian privacy legislation. Mandatory reporting of data breaches was among the proposed amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) introduced into the House of Commons in September 2011.

So what specific steps can be taken by proactive organizations to manage mobility in their workforce? In addition to password protection, companies can consider:

• adding on-device anti-malware solutions such as personal firewalls to protect device interfaces

• installing anti-spam software to protect against unwanted voice and SMS/MMS (short messaging service/multi-media messaging service) communications

• limiting the types of applications that can be downloaded to the device

• employing remote locate, track, lock, wipe, backup and restore software to retrieve and restore a lost or stolen device.

The ultimate goal is to design and implement a comprehensive enterprise mobility security solution with the help of a knowledgeable service provider — one that has the capabilities to centrally enforce corporate policy and monitor and inspect mobile devices.

HR’s role: Understand the issues and raise awareness

Of equal importance is raising awareness about threats so employees will take policies seriously and respect them. While 95 per cent of organizations have policies in place for mobile devices, only about 30 per cent of employees are very aware of them, according to a 2011 study by McAfee and Carnegie Mellon University in Pittsburgh.

“More than half of those aware of their company’s policies view them as stringent or very stringent. But just one in five IT departments characterized their policies as severely restricting,” found Mobility and Security: Dazzling Opportunities, Profound Challenges.

Communicating about high-profile security breaches (as seen at companies that experienced them, such as Citigroup or Sony) may be useful in countering resistance and supporting changes to the code of conduct or site access restrictions.

That’s where HR professionals play an increasingly important role — they need to educate themselves about the mobile IT component of their workforce so they can participate knowledgeably in policy development and review and communicate with users on what to do and what not to do to better manage the security risks.

HR needs to find out how its mobile security protocols compare with the Top 10 List (see sidebar on pg. 19) by asking: What are our current usage statistics? What policies are in place? What is the awareness level of our employees?

The mobility ship isn’t going to turn around or even slow down any time soon — it will only accelerate.

To meet the challenge of supporting mobile devices in a manner that’s consistent with security and governance requirements, organizations should make it an urgent priority to explore enterprise mobility security capabilities in the near term.

Nick Galletto, Steve Rampado and KareenProudian work at Deloitte Canada in Toronto. Galletto is a partner who specializes in enterprise risk security services. He can be reached at (416) 601-6734 or ngalletto@deloitte.ca. Rampado is also a partner who specializes in enterprise risk security services. He can be reached at (416) 601-5714 or srampado@deloitte.ca. Proudian is a senior consultant with the enterprise risk practice. She can be reached at (416) 643-8016 or kproudian@deloitte.ca.

Tips for employers

Top 10 ways to manage mobility risk

• Segment your workforce — provide access only as needed.

• Establish procedures for procuring mobile devices and applications.

• Refine appropriate use and security policies and update your awareness training program.

• Enforce a strong password policy.

• Enable remote locking and wiping of lost or stolen devices, including unsuccessful login attempts.

• Implement data encryption.

• Integrate mobile device support with existing IT management processes (such as a help desk).

• Avoid putting the company logo on mobile devices.

• Store, manage and maintain application software centrally to keep the systems free of valuable programs.

• Implement a comprehensive and integrated enterprise mobility security solution.

Add Comment

  • *
  • *
  • *
  • *