Smartphones and tablets are the most popular and pervasive devices used by business professionals today. Their simplicity, flexibility and convenience make them as compelling for executives working on the road as they are for consumers playing and socializing at home. But now that the smartphone genie is out of the bottle, business owners, CIOs and IT leaders must work together to harness the efficiencies these powerful tools afford, while defusing the security threats they pose.
Bring Your Own Risk
The greatest smartphone security threats today have to do with their portable nature and the habits of the people that use them. Bringing your own device onto business premises is nothing new execs have carried PDAs for decades and lugged around portable PCs for even longer. But today it’s a ubiquitous trend and IT departments have to manage entire fleets of employee-owned devices instead of just a few among top executives. This significantly heightens concerns over compliance with corporate IT security, control of sensitive data, monitoring of potentially malicious applications and combating lack of user awareness.
With the use of personal mobile devices becoming the expected norm in the workplace, it would take a brave IT security manager and a very meek HR head to convince a business owner to ban BYOD entirely. But without some level of control, there is considerable risk of unauthorized network access, compromised data and operational disruptions. More than half the respondents to a recent survey of top IT decision-makers by Juniper Research ranked mobile device security as a key concern, and yet less than one in 20 smartphones and tablets has third-party security software installed.
One Phone to Spoil Them All?
Together, the Apple App Store, Google Play, Windows Store and BlackBerry App World will serve up 44 billion app downloads by 2016, according to ABI Research . That number will include many millions of productivity tools aimed specifically at executives.
To get the most out of these apps users won’t think twice about connecting their personal smartphones to corporate networks and servers, introducing new vulnerabilities, and fresh device management challenges each time they do so. The same device that roams your corporate environment in the morning will automatically connect to a WiFi in an airport, coffee shop or park later in the day, far away from security protections of the corporate environment.
Moreover, most of these applications are created by developers who have no formal relationship with the business, meaning the only risk assurance that’s provided is the hope that the app store has checked the code for malware and exploits. Compounding the risk, many mobile apps enable device permissions, for example to the device’s camera, data storage, and ability to upload, without the user’s knowledge. A user performing even a simple task, such as opening a document on a company file server, exposes the corporate network to an application of unknown origin. If malware is present, it gains a route to company data as well as numerous LAN-based desktops. Root applications could access corporate file systems and make hackers root’ users of server operating systems. Casual, personal communications on a smartphone that is also used to access corporate resources could become public, potentially damaging business reputations and careers. All this is the backside to the efficiencies that users and businesses gain by having real-time access to everything.
A Phone is Only as Smart as its Owner
Although they are arguably the most valuable gadgets that any of us have ever owned, we lose our phones more frequently than any other device 15 times more often than we lose our laptops, according to McAfee . Despite this, very few of us take sufficient precautions to protect the personal information, and increasingly the business data, that they contain.
Human error remains a rich source for hacker exploits, as people click away without thought on phishing emails and untrustworthy links from unknown websites. Many people wrongly assume that device manufacturers are taking the necessary measures to protect sensitive information while it’s on their phones, but sadly that simply isn’t true. While each new smartphone is undoubtedly cleverer than the last, and may offer some software and suggested configurations that provide a degree of security, these are insufficient to the task. If BYOD persists and it will then businesses must work out practical methods to prevent employees from compromising company data through careless mobile activities.
For most organizations, some form of mobile device management is the most accessible and effective technology for managing security risks posed by mobile devices. Lost Androids and iPhones can be tracked down remotely, locked or even wiped clean of sensitive data using geolocation, while Windows 8 features secure boot options to prevent rootkits and other low-level exploits.
There is plenty of basic advice that IT departments can share with the rest of their colleagues when it comes to minimizing the chances of personal and business data loss through lost or exploited BYOD. Perhaps most obvious is good password hygiene:
- Users should lock their smartphone screens with strong passwords.
- Major applications such as email, messaging and social media channels, as well as connectivity apps such as FTP or VPN tools, should also be secured.
- Passwords and PINs should be random and changed frequently.
- Passwords should not be recycled.
- Two-factor authentication should be employed.
- Minimize application and data risk by a simple practice if you don’t need it, delete it.
Enable Business Transformation, but Take Control
There’s no question that IT security has become more complicated and challenging today than it used to be, as a majority of workers access company resources externally and internally by whatever means they deem necessary.
One way for businesses to begin mitigating this “insider threat” and gain some control over the access and habits of its users is to give them the tools they need. Custom mobile business apps harness the efficiencies of smartphones in a known and controllable way. Well-conceived apps enable any business to provide a more efficient and effective service without the insecurities that accompany a broad spectrum of third-party apps. Despite the pressure to bring new mobile app functionality to market, businesses should apply the same attention to secure coding practices for mobile apps as they do with other software development. Recent research by Intel indicates that 76 percent of IT decision-makers plan to adopt mobile business apps over the next 12 months, while more than half of corporate IT departments are involved in managing and realizing the benefits of mobile devices.
For some IT leaders, the sheer volume of risks and insecurities presented by the mobile age still outweigh the productivity benefits of BYOD and third-party mobile apps. But attempting to hold back the tide of mobile computing that has already engulfed the consumer world is ultimately futile. Much better for CIOs and IT managers to take precautions and make mobile business apps as secure as possible. High on this list should be implementing policies and procedures that address mobile risks; technologies, such as mobile device management software that extends corporate policies to mobile devices; identity management software that lets IT know by whom, how and why business data is being accessed; data protection software to limit the data that can be downloaded to mobile devices and encryption technology to make sensitive company data unreadable on lost or stolen devices. The use of cloud services that turn smartphones into information viewers rather than storage devices should also be considered, but, above all, businesses must educate their workers on secure mobile computing practices.
BYOD is here to stay, and many organizations have realized substantial productivity gains by allowing their employees to work the way they want to work. Intel, for instance, claims their employees have gained almost a full hour of work time per day by making use of personally owned devices for business. No company can afford to pass on those kinds of efficiencies. While the risks of mobile computing are real, the goal of IT leaders should be to strike a prudent balance between securing and enabling the business. Achieving this demands some sophisticated tools, but also a healthy degree of cultural change.
Technology by itself can’t solve the security challenges facing a modern business. That requires the right blend of technology along with the willingness to learn and adapt to new opportunities as they arise.
Register or login for access to this item and much more
All Information Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access