Mobile phones are now a ubiquitous part of company like. But how is their use impacting on your company’s security? A whole host of devices are being used in firms, but all too often the security aspect is being missed.
Today’s working world is changing, moving away from a sedentary 9 to 5 office day toward jobs where employees are constantly on the move, regardless of the size of the company or the sector. Fixed workplaces are giving way to hot desking solutions and home offices. Desktop PCs are being replaced by notebooks, tablets and smartphones. Employees want to be able to employ a wide variety of devices to send and receive e-mails on the move, and to access the company intranet or internal services.
Gone are the days when these mobile devices were regarded as gadgets for only a small group of employees – their use as key business tools is now widespread and increasing all the time. They are a natural part of everyday life for today’s generation, the so-called ‘digital natives’.
Using communication devices on the move, however, exposes workers to potential security risks, including theft or loss outside of secure company premises. Notebooks can be left unattended in a car or conference room. And, left unsupervised, even a short period of time is sufficient to access any confidential data on a device.
These risks are further exacerbated as network and infrastructure boundaries become increasingly blurred. The upshot is that the data being transmitted has to be protected as well as the communication path itself.
Each new way of communicating requires suitable security measures to prevent eavesdropping on calls or interception of data. For example, in 2012 the hacker group ‘Anonymous’ was able to listen in on a video conference between the FBI and Scotland Yard, and subsequently published it on YouTube.
The new security strategy has to focus on protecting data and communication as well as ensuring network integrity. The question is not where a particular security measure should be implemented, but rather which security measures are relevant along the entire path. There are a series of questions regarding the security of data that organisations should answer:
Should employees be allowed to have confidential documents on their mobile devices?
What happens if this device is lost?
What about employees’ private devices? Should these be allowed in the corporate environment (Bring Your Own Device)?
Which measures are needed to enforce security guidelines on mobile devices?
Which services and applications can be used with which devices?
In many companies, it’s the top managers with their newly acquired high-tech phones who are the first to create gaps in the protective IT security walls that have been built up around corporate systems. Because they are used both within and outside corporate boundaries, these mobile devices are beyond the administrator’s control. They consequently require protection of their own against viruses and attacks of all kinds.
Further risks are posed by the potential theft or loss of these devices, which often have sensitive data stored on them or allow access to such data. The challenge lies in integrating these various devices with the existing corporate infrastructure and being able to manage their operation securely, efficiently and with a minimum of administrative overhead.
Conventional security concepts are based on the ‘castle’ principle, which means building a strong perimeter defence against intruders. This involves powerful defence systems in the form of firewalls, anti-spam and anti-virus solutions, content filtering and verification.
The increasing use of mobile devices means that applications and identities are being used both inside and outside companies, leading to a blurring of professional and private boundaries. Employees keep in contact with customers using blogs, use social networks or ‘tweet’ information on the move – the potential scenarios are many and varied and can scarcely be mastered using traditional security measures.
Although traditional security solutions, such as firewalls, will always remain in demand, additional new components are needed to tackle these new security problems, and to keep the associated administrative overhead as low as possible.
Any overall solution that is worthy of the name should be able to support a large number of different mobile operating systems and manufacturers. Companies that do not have a long-term mobility strategy run the risk of their devices, platforms and applications proliferating to the extent that they become difficult to control and tough to integrate efficiently with the existing infrastructure.
Companies should also have a good idea of the services to be used and how these fit in with the corporate strategy. External aspects, such as customers, should also not be ignored. This means that IT must adapt so that customers and employees are integrated in the most beneficial way possible.
Can any existing equipment be retained and savings made by doing so? Is the existing infrastructure actually compatible with planned business development? Answering these questions involves examining the existing security issues, determining the new risks, and reviewing the possible solutions from an economic perspective.