The Security of Business Innovation Council, which is supported by EMC’s security arm, RSA, unveiled its new guidelines in a report entitled, “Realizing the Mobile Enterprise: Balancing the Risks and Rewards of Consumer Devices.” Business benefits of consumer device use include extended work and agility capabilities along with end-user satisfaction, and the report stated that 80 percent of workers typically use their devices for work. But the real harm to enterprise data and systems is not being met as quickly as acceptance of personal mobile devices, according to the report.
Of the six prime threats that consumerization of mobile devices and BYOD pose, the council predicts that four will only become more problematic in the near future: lost or stolen devices; malware attacks; advanced mobile risks; and risky end-user behavior. The two other main consumer mobile threats – compliance/legal risk and software vulnerabilities – have the potential to increase, too, but may be offset by innovation and new strategic frameworks.
As “cool features tend to trump security” with consumer mobile devices, enterprises have to turn to third-party vendors to supplant security. Here, the report finds a few dozen solutions from approximately 10 providers, and “no clear leader.”
William Boni, chief information security officer at T-Mobile USA and a contributor to the report, likened the expansion in consumer use of mobile computing to the early era of the PC, which puts demands on security measures to “evolve fast.”
“But will it be fast enough? We're in an arms race between malicious exploitation and security protection,” Boni said in a release with the report.
The report goes on to detail five primary recommendations to manage today’s enterprise mobile risks and setup a platform for growth.
- Start with truly enterprise-wide governance. Establish mobile governance through a collaborative approach that reaches across business departments and silos, and educates all users.
- Create an action plan for the near-term. Over a 12-to-18 month span, test mobile device management solutions; review authentication, security and malware protection; and adopt a “containerization” plan that protects enterprise data from personal information/apps
- Build core competencies in mobile app security. These include jailbreak alerts, adequate encryption and auto-wipe, and avoidance of local data storage, all keeping in mind user experience.
- Integrate mobile into long-term visions. For a strategy that has legs, consider trust calculations for expanded user access to enterprise data, cloud-based security gateways and data-centric security measures like enterprise rights management.
- Expand mobile situational awareness. Corporate security teams need day-to-day and long-term reviews of threats and how they relate to hardware and software upgrades, as well as coverage agreements by vendors and mobile device providers.
Contributing to the Security of Business Innovation Council report, released during an EMC event this week in London, were 19 executives from large enterprises, including SAP, Intel, Coca-Cola, RSA and AsterZeneca. Click here to download a PDF of the 30-page report.