The use of consumer devices in the workplace continues to grow at a rapid pace as employees and employers seek to increase productivity and find greater flexibility in the way they work. Smartphones, tablets, web 2.0 applications, and social networking sites all enable greater mobility, enhanced flexibility, and increased collaboration across dispersed teams.
In fact, according to a Gartner report released in October 2012, mobile device sales in India are forecast to reach 251 mn units in 2013, an increase of 13.5 % over 2012 sales of 221 mn units. The mobile handset market is expected to show steady growth through 2016, when end user sales will surpass 326 mn units.
Another IDC report released in August 2012 found that India’s market share for smartphone shipments stood at 2.2 % for 2011, rising to 2.5 % in 2012. This figure is expected to increase to 8.5 % by 2016, making India one of the countries that will see the largest growth in this segment. The recent ‘Consumerisation of IT’ study into enterprise mobility conducted by Unisys in partnership with Forrester Consulting reveals that the rise of a new segment within the population of iWorkers, called the mobile elite – “a growing group of early adopters whose work and personal spaces contract into a single tablet, phone or website”, which means that the most mobile and self-empowered employees are also often the ones improving work processes (37 % of mobile elite employees convinced their boss to significantly change the way they do something at work, compared with
27 % of other employees) and using personal applications to better serve customers (33 % of mobile elite employees say that the business benefits of employees using personal devices or apps for work allow them to better serve their customers versus 24 % of other employees). That makes them a group worth supporting with business-ready alternatives to personal apps.
Yet, while most employers recognise that mobility in the workplace offers several benefits in terms of increased productivity and employee morale as well as capital cost reduction, they are also keenly aware of the risks it holds.
With the rapid proliferation of mobile devices, platforms and applications, the type and number of threats that mobile users encounter has also grown exponentially. The most common threats to mobile security include malware, loss, and theft of mobile devices and increasingly, exploitation and misconduct on the part of employees. organisations need to create an extended security model that secures not only the network infrastructure but also the new “end-points” (mobile devices) being used to access the corporate network, while providing the freedom to take advantage of benefits offered by mobility.
Even though most organisations report that security is their top concern related
to mobile devices, and they are implementing some security measures related to smartphones and tablets in the workplace, many are not enforcing them consistently. Here are some points to consider.
Centralised management of devices
Organisations need to ensure that they are monitoring and supporting all company-liable and employee-owned devices round the clock, so as to prevent data breaches while ensuring convenience and ease of access to the enterprise network. This requires a user-centric solution that manages, monitors, and secures mobile devices across platforms (iOS, Android, BlackBerry, and Windows Phone) in a cost-effective manner. This also includes the creation of policies to secure corporate content through remote monitoring and data wiping on mobile devices in the event of loss or theft or other security breaches.
Look beyond devices
The research also exposes a potential security risk in the recent phenomenon of employees using BYO apps. 38 % of surveyed employees admit they have downloaded unauthorised mobile apps or PC software for work.
BYO apps bring a two-fold security risk. sometimes easily downloadable apps can be malicious vehicles for network breaches and data theft. To avoid negative consequences of employees using unauthorised software, organisations can create a company ‘app store’ that contains approved, secure software – either developed internally or purchased from a third party – to safely provide employees with the capabilities they need to do their work productively.
Secure device, network, app & data Any device used to access the network is an “end point” – whether a desktop PC or smartphone. When employees take devices out of the office, they become an exploitable leak in the organisation’s system.
An unsecured endpoint may allow a cybercriminal to access sensitive data stored on the device or corporate network by collecting and re-using an authorised account and password, or by taking advantage of the user’s access when he or she is logged in. To combat this, organisations need to approach endpoint security from a combination of angles covering the device, network, and data.
The majority of organisations – 71 % – say that their focus will be on deploying password-based authentication for mobile users. However, fewer are considering more sophisticated security measures:
only 22 % are considering token-based authentication, and 8 % are considering biometric-based authentication.
Passwords have been traditionally used in IT to secure access to devices and applications within the workplace so it makes sense that they have been the first step taken to secure mobile devices. However, the risk of a data breach via compromised passwords is higher in a mobile environment because mobile devices can be easily lost or stolen so it is surprising that organisations aren’t taking a more aggressive approach to securing the devices and the data on them.
Unisys recommends a multifactor authentication, where the employee is identified not only by ‘what they know’ (a PIN or password) but also by ‘something they have’ (a token key) or better still ‘who they are’ (a biometric such as a fingerprint or face scan) to protect sensitive assets.
The good news is that today’s mobile world is necessitating – and enabling – sophisticated new approaches to security. For example, attribute-based access control is an emerging technology that
grants access based not only on the nature of the data and the individual requesting access. It also factors in the location from which access is being requested and the method used to authenticate identity – for example, requiring a fingerprint rather than a password for access to more sensitive information.
Use host-based firewalls, anti-virus, anti-malware and identity management software to better secure the endpoint. In addition, whitelist or behavioural-based threat protection can identify known and unknown threats so that they can be quarantined and eliminated.
Rather than relying solely on controlling access to data, organisations should consider securing the data itself via encryption. That way even if the wrong people gain access to where the data resides, they still can’t read the data.
Mitigate risk through policies
Technology is only part of the security solution. Update corporate policies to define and mandate the behaviour required of employees. Take a comprehensive approach by involving not only IT, but also human resources, legal, risk, and senior management teams in setting and managing policy. Polices and employee education programmes should cover the following:
-
Where and when devices can be used
-
Securing devices used to access the corporate network
-
Rules for copying sensitive data on to external media such as USB devices, DVDs and CDs
-
Password management
-
Data ownership and surrender/ access, distinguishing between applications and data of the organisation and the employee
-
Appropriate use of technology in the workplace, including HR issues such as workplace bullying, confidentiality breaches, etc
-
Appropriate behavior, confidentiality, and disclosure on social networking sites, and Consequences for breaching policies or programme
Educate employees
Use an ongoing communication program to educate and remind employees about the potential security threats and the role they play in protecting company infrastructure and data. Employees need to be conscious of their responsibility to protect and secure devices that enable access to the corporate network or sensitive information.
It is worrying that despite 92 % of organisations surveyed in the ‘Consumerisation of IT ‘ research say they have a security policy in place, 53 % of employees say they aren’t aware of their company’s security policies. These people could unintentionally put sensitive data at risk by not taking the appropriate security precautions to protect the data on – or accessible via – their mobile device. It appears that many organisations feel that they are protected by simply creating a security policy that covers mobile devices. However, it’s of no use if employees don’t know about or understand it. In addition, with 9 % of employees in the survey saying they ignore or work around security policies, they need to understand that they are mandated and the consequences for not complying with them.
The article has been contributed by John Kendall. He is the director of National Security Programme, Unisys Asia Pacific.