Unsurprisingly, security is the top enterprise concern for the burgeoning smartphone movement. The influx of mobile devices into the work place, which initially elicited fear, has now largely been met with complacency. Whilst more and more companies are allowing employee owned devices into the work place, the vast majority of these are governed by policy only (if anything). This approach leaves organisational security in the realms of trust and companies unwittingly at risk.
Nearly half of enterprises that allow employee-owned devices to connect to the company’s network have experienced a data breach, according to a survey of 400 IT professionals by Decisive Analytics. Whether through loss, theft, third party apps or automatic settings around uploading information, smartphones and tablets present multiple opportunities for data loss and exposure.
Consumer smartphone devices are designed to access and share data in the cloud, but a side effect is an increasing potential for data to be easily duplicated and moved between applications. This kind of risk has huge implications for all industries.
Mobility can mean tasks such as accessing patient data, while protecting the confidentiality of protected health information as required by the Data Protection Act (DPA), are a huge challenge. For retail employees, they must maintain Payment Card Industry (PCI) data security standards compliance if using personal smartphones. And, for manufacturing workers, the loss or theft of a device can mean serious loss of intellectual property. These kinds of breaches can also make corporate systems more vulnerable to malware and data theft. These risks call for a more robust approach to maintaining data security when it comes to mobile access.
When employees download and install mobile apps for their personal use, they may be allowing an unregulated third-party access to other sensitive, corporate information stored on their devices. With unapproved applications there is always the risk that they could be pre-infected with malware, which could log or remove information from the mobile device without alerting the users.
Similar risks are faced if business devices are stolen or leave the organisation and are able to connect to open or unsecured Wi-Fi networks. The corporate data stored on their devices could be exposed via these unsecure networks. Lost or stolen devices are one of the most common problems with the use of mobile devices. In the Decisive Analytics survey 43.5 per cent of decision makers said their companies experienced this issue in the past year, supporting the need for being able to wipe sensitive data remotely.
For companies willing to let employees select and purchase their own smartphone, the business has to handle the diversity of multiple products and platforms. While employees find increased satisfaction, IT teams may struggle to cater for the multiple form factors, operating system requirements and version control. With new handsets entering the market constantly, and firmware updates and fixes being released every few weeks, IT support will be stretched to meet demand.
Establishing and enforcing corporate policy on company-issued devices is seen as key to compliance. However, it’s hard to enforce these policies on workers using personal devices. Should an employee leave the company, the device leaves too, and the organisation might be unable to reclaim or remove sensitive data. Compliance with industry and government regulations creates an added burden on ongoing support as well. For most organisations, being able to identify employees and control regulated content as well as archiving important electronic communications, all adds to the overhead associated with smartphones.
Unfortunately, issues with mobility are often a case of user error. Employees circumventing app black lists, absent-mindedly losing phones or leaving passwords dotted around are issues that even the most robust mobile security policies and prevention methods will face. Mobility within the workplace is clearly a vital component of employee productivity and as such, smart organisations need to find ways to mitigate these risks whilst retaining mobile advantages.
With an in-building wireless handset many smartphone security challenges are simply negated or easily avoided. For example, within a hospital environment, an in-building wireless handset provides private and reliable, secure wireless communication between caregivers and supporting staff while satisfying DPA concerns. Confidential data can be accessed via the handsets within the building but not when the device leaves the wireless network as there is no data stored on the device itself.
For industries like healthcare, manufacturing or retailing, this can be the balance that provides the benefits of mobility without the potential pitfalls. It frees up employees to have personal devices that remain personal, and work devices that fit for purpose.