Private Smartphones, Tablets Threaten Office Networks
From the moment the first telecommuter logged into his work e-mail account from his personal computer, the line between work and home began to blur.
Today, thanks to mobile devices such as smartphones and tablets, we can surf the Web, send and receive e-mail and modify work documents from virtually anywhere.
Most smartphones and tablets are purchased by consumers for personal use. But many — even those on a family wireless plan — will also be used for work purposes both inside and outside the office.
This home/work overlap of mobile devices has created three major problems for the security industry as a whole.
Corporate IT teams can too easily lose control of the devices. Legal frameworks find it hard to demarcate between personal and corporate use. And security developers haven’t caught up with the new software.
Out of control
Smartphones and tablets streamline the way we communicate today. Forget about phone calls and e-mail -- these new devices make it easier to use social media, which is the way an increasing number of people, especially young adults, “talk” to each other.
However, the budgets of small or medium-size businesses often won’t cover networked mobile devices for anyone below top management levels.
So people bring their own devices to work and put them on the office network --- and, in many cases, don’t alert the IT or security departments about it.
Without knowing who’s accessing the network, or how often, it is difficult for a network administrator to make sure security policies are met.
The added risk of mobile devices is that they are easily lost or stolen. If the smartphone or tablet isn’t locked with password protection, outsiders will have access to potentially sensitive data and company e-mail messages.
IT departments do have options to protect corporate data on personal phones, said James Lyne, senior technologist at England-based security company Sophos.
Platforms such as [Microsoft] Exchange can give administrators visibility of the types of devices users are using to access key services,” he said. “Acceptable use policies should also clearly outline users’ responsibilities: which devices are allowed, what security practices must be adhered to and how to notify IT if a device is lost or is otherwise compromised.”
If organizations don’t want employees using personal devices for business uses, devices can be restricted to services based on managed corporate assets, such as corporate-compliance software.
Many enterprises, however, will consciously allow users to mix personal and professional business on their smartphones or tablets. In these scenarios, it's critical that a security baseline is met and enforced.
No legal basis
Legal departments have their own challenges to face. Corporations have jurisdiction over company-owned devices, no matter how and where they are used. But privately owned devices aren’t as easily supervised.
In November, National Public Radio reported about a woman whose personal smartphone had been wiped clean by her employer. The remote wipe, which deleted everything on her phone, was a mistake, but the case raised the question of whether a company should have that much access to a personal device.
For corporate legal departments, it’s not clear which activities on a smartphone or tablet count as private use and which don’t.
What should legal departments be concerned about, and how should those concerns be passed along to the employee?
Lyne said mobile devices should be covered by the same compliance regulations as laptops or conventional computers. Loss of work-related data on a personal device is not acceptable.
“That said, the expectations of security controls on mobile devices are also less developed in many countries’ legal frameworks,” Lyne added. “Enterprises should make sure employees understand their obligations to manage and protect the device, but also should be conscious of the risk of data loss to their businesses. Where possible, minimize the flow of sensitive data to these device types to reduce the risk of loss.”
Hard to keep up
Mobile platforms present a new set of challenges to security, said Lyne. First of all, their presence greatly expands the number of operating systems – Android, BlackBerry, Apple’s iOS, HP’s WebOS -- that need to be protected.
Microsoft operating systems have long been the primary focus area for security investment,” Lyne explained. “The broader set of platforms being used requires not only more coverage from solutions, but fundamentally protecting each of these devices is quite different in implementation and policy. These platforms, without standards, could increase the cost notably.”
Second, the mobility of these gadgets itself is a challenge. Each device constantly moves in and out of the network, and it almost certainly will be used for a blend of work and personal matters.
These changes in user behavior challenge conventional security policies, and will have a significant impact on the behavior of security technologies.
“The industry should not fall into the trap of trying to protect mobile devices with an identical model to the traditional computer,” Lyne said. “While security issues undoubtedly exist on these devices and we all need to recognize the likelihood of greater focus on these device by attackers, the threat vectors and protection model is different platform to platform.”
The immediate priority for businesses will be to manage the basic compliance of each mobile device.Enterprises should know which devices are being used and ensure that password security, encryption and patching are all up to scratch. Compliance is the key starting position for those looking to secure their mobile devices. However, as the threat evolves, so, too, will product requirements.
This story was provided by SecurityNewsDaily, a sister site to IT TechNewsDaily.