Lock down

Mark Evans, director at Imerja, specialist IT services provider
Mark Evans, director at Imerja, specialist IT services provider
 
Simeon Coney, vice president for business development at mobile security provider, AdaptiveMobile
Simeon Coney, vice president for business development at mobile security provider, AdaptiveMobile
 
Jonathan Sheridan, sales director at telecoms provider, GTEQ Intelligent Mobile
Jonathan Sheridan, sales director at telecoms provider, GTEQ Intelligent Mobile

In a world where businesses increasingly have to comply with data protection legislation, and where in parallel workforces are becoming increasingly mobile, data security can appear to be somewhat of a minefield. Here, Heather McLean takes a look at what the experts recommend for securing your mobile workforce.

Over half of employees now use their own mobile phone for business purposes, says Mark Evans, director at Imerja, specialist IT services provider. Yet, he adds that according to a study by Cyber- Ark Software, only 12% of those employees use encryption to protect data in the event of a loss, showing a significant lack of mobile security issue awareness.

Goodbye reputation

Corporate data losses do not only damage businesses’ reputations, but also are extremely costly, warns Evans. He comments that the Information Commissioner’s Office is now able to fine organisations up to £500,000 for a serious breach.

“This fine has been revised from the previous maximum penalty of £5,000 in response to the dramatic increase of data incidents; a reported 70% of organisations have been hit by one or more data breach incidents within the last twelve months.

“As the use of mobile phone technology extends beyond voice and text to include email, internet browsing and the use of social media, it is vital that businesses give security of mobile phones the same level of priority as traditional networks and fixed telephony services, not just in terms of network availability and connectivity, but also in respect to securing information on mobile devices and underpinning the critical role they have to play in delivering business continuity,” states Evans. “In summary, treat phones with the same, if not greater, respect as laptops.”

Simeon Coney, vice president for business development at mobile security provider, AdaptiveMobile, adds: “With organisations becoming ever more mobile and staff working from the Cloud or accessing increasing volumes of corporate data from smartphones and wireless laptops, it is becoming increasingly difficult for those responsible for security and IT within organisations to manage and monitor what data is coming into, or leaving the organisation. In addition to this, corporates often face strict regulatory controls on sensitive information flowing out of their organisation, much of which is increasing being held on mobile phones.

Growing threat

“For example, one particular issue that is becoming an increasing worry for enterprises is the use of mobile spyware for corporate espionage, and it’s on the rise,” Coney comments. “There are simple, invisible applications widely available online that can be covertly downloaded onto mobile handsets. Such applications can copy and forward on all sent and received messages, record calls and even act as a listening device, all without the owner ever realising the application is there, let alone siphoning data to a third party. With corporate handsets generally under less scrutiny than desk-based PCs, such threats can remain undetected for a significant length of time,” says Coney.

When it comes to combating mobile security issues, it is unfortunately not as easy as blocking traditional PC spam and viruses with downloadable security software, comments Coney. “Users often don’t see the need to install security clients on their mobile handsets and the problem is ignored. The mobile devices themselves aren’t designed for constant background content scanning or holding databases of all the malware website addresses and the networks aren’t dimensioned, either capacity-wise or commercially, for the continual immediate signature updates needed to block the latest phishing sites. With that in mind, the wireless world needs to look beyond simply trying to mimic the ways the PC community has learned to protect its users from security issues.”

Security straightjacket

As mobile devices become ever more complex, with increasingly large memory capabilities, people are focusing on their phones as their main devices, both on the road and in the office, states Jonathan Sheridan, sales director at telecoms provider, GTEQ Intelligent Mobile.

He comments: “There are applications that can be downloaded onto smartphones that will allow you to control the data on the device and protect them against viruses, as well as tracking the device if it is stolen. Yet I would argue that having a handset stolen or lost is not the worst thing that can happen to a company in terms of mobile data security. The reason for this somewhat controversial statement is quite simply that there are applications that allow your conversations to be monitored and texts matched Mark Evans, director at Imerja, specialist IT services provider against your address book and viewed online, for instance, on flexispy.com, so where do we draw the line?

 

“Like most security issues, the weakest link is the human element,” remarks Sheridan. “There is no mitigation against someone leaving their phone unattended or inadvertently sending information to the wrong person. Obviously, there needs to be a balance between offering a useful service and locking it down so tightly that it becomes a business prevention system, and that is entirely up to company involved.”

Sheridan adds: “There is no getting away from the fact that data security is a business decision that should be taken under advice and weighed against the cost and potential risk of losing data against the cost of protecting against such loss. One man’s protection is another man’s straightjacket; there is no easy answer, but education will help.”

 

Basic security

Evans says all mobile phones have a basic password option to lock and unlock the device, although this function is rarely implemented by individuals, particularly if they are using a personal phone as opposed to a business device where a password policy may require it.

He remarks: “There are a range of software solutions and services currently on the market; basic packages allow organisations to encrypt or ‘lock down’ a device so it cannot be compromised if lost or stolen, with more sophisticated solutions enabling remote management or device locking and wiping of data if lost.

“Encryption software can be deployed on a single handset or an entire mobile fleet, helping to prevent information being downloaded by unauthorised people. Whilst easy to put in place, it needs to be underpinned by a robust and enforceable security policy structure across the mobile fleet to ensure all devices are secured in a controlled and manageable way. However, encryption does not necessarily protect information ‘over the air’. More complex technology exists that not only encrypts the device and information stored on it, but also encrypts the voice and data traffic sent to and from the device,” continues Evans.

 

Think big

Current trends for IT outsourcing and managed services have followed suit in the communications and mobile environment, says Evans. “By providing a fully monitored and managed service for an organisation’s mobile estate, they can be assured that all policies are implemented as standard across all handsets, as well as being able to manage policy and enforcement on particular handsets.

“No longer a commodity, mobile communications are now seen as part of the wider IT infrastructure within an organisation, so it makes sense to treat all networks with the same services and security,” Evans notes.

Coney states that while on-device security measures are becoming more common and have a role to play in the wireless world, they alone cannot offer the levels of protection that is required. “A significant amount of processing power is required to run anti-virus software and despite smartphones becoming ever more powerful and designed primarily to be functionally rich, on the whole they are not yet capable of the significant multitasking that would be required to run adequate background security software.

“Moving away from the hardware, the vast array of mobile operating systems powering today’s handsets can also pose a challenge; each different OS has its own weaknesses when it comes to security. The cost of building security software to cover this vast array of systems can be huge, not to mention the numbers of patch updates required as new threats inevitably come to the fore. There is also the impact on network bandwidth to consider; what happens when many thousands of users try to download security updates simultaneously? As such, it is necessary to explore alternative routes to ensuring users’ phones stay private and aren’t under the threat from spam, malware or other undesired content,” states Coney.

The preferred emerging solution being implemented by many of the world’s largest mobile operators is a system of network-level security, which complements existing devicelevel protection, explains Coney. He says this ensures that all users, as well as the network, are protected from current and emerging threats.

“Today, security content inspection software that sits on mobile networks provides customer protection across all mobile technologies, threats and media types. This includes protection against illegal or inappropriate content, viruses and malware. It allows mobile operators to enable enterprises to extend corporate security policies through to mobile assets,” continues Coney. “As these solutions sit across the entire network, they work across all mobile services, such as WAP, SMS, MMS, voice and email and all forms of network access, including GPRS, 3G, DSL, WiFi and WiMax.”

Coney says that by putting in place networkhosted defence, operators can identify threats and block potential breaches before they even reach the end user’s handset or mobile dataenabled laptop. Operators are starting to provide control portals that allow organisations to set specific, individual controls on employee usage to suit their organisational policies, he notes, which enables IT managers to determine what services, content or third parties employees can access at any given time, while allowing reporting and feedback on breaches or unusual behaviour.

 

Tough technology

Some devices are viewed as more secure than others, notes Sheridan. He explains: “Security is often cited as the reason why BlackBerry is used in preference to the Windows Mobile option. This is still the case, and BlackBerry’s IT policies are very powerful (if used), although Microsoft would argue that it too has the ability to ‘fry’ a device if it is lost or stolen.

“Good security policies will help prevent the majority of ‘accidental’ losses of data, but if you include voice as being a form of data you may need an additional deterrent, such as call recording, to reduce the risk of confidential disclosure,” warns Sheridan. “Another option could be to host the mobile data service, as this will address the issue of data backup and data recovery, although it is difficult to sell, as you are usually pitching to a person whose job may be put at risk (turkeys looking forward to Christmas).”

Evans agrees that RIM has become synonymous with delivering secure mobile solutions for the enterprise in recent years, operating a completely locked down solution that delivers, amongst other things, secure email.

He adds: “Other advanced solutions, like that from Good Technology, also offer scope for organisations to deploy a secure environment onto any employee’s phone, even one that is owned by the individual rather than it being a business asset, within which they can be granted secure access to corporate resources such as email. In the same way that people can visit the public App Store for the iPhone, businesses can develop their own private, bespoke App Store which users can download and use within their secure environment, ensuring the information accessed is kept secure at all times.

“If the phone is lost, or the employee leaves the organisation, applications and data held in the secure environment can be remotely wiped without compromise to whatever else may be on the phone,” says Evans.

 

How to sell

On how to sell mobile security, Evans comments: “With over half of UK workers now using their own mobile phone for business, dealers need to use this information to help sell security by informing organisations that the device does not need to be business-owned.

“Personal devices can also be secured, and business services that are accessed through mobile devices can be managed by specialist organisations that can deliver 24x7 services to users. Gone are the days of basic nine to five support; with greater agility and access to information and applications, support needs to be available around the clock,” Evans remarks.

The security challenges that enterprises face in the mobile world are many and diverse, comments Coney. He says if they are to protect themselves, their data and their staff, a three pronged approach is key: content control, the ability to manage what can be accessed, when and by whom on mobile devices, extending the existing capability provided by LAN based content filtering appliances; device security, protecting the mobile handset itself from incoming threats to data such as malware and spyware, but in a manner that is not limited by the lack of consistent security client availability across the range of devices and manufacturers commonly found in an enterprise; and clean connectivity, scanning inbound and outbound activity to highlight any unusual or unexpected activity.

“Only when these three areas are addressed can organisations achieve a consistent level of usage policy enforcement and control for staff across both the mobile infrastructure and their fixed network internal systems, ensuring that both the business and the staff themselves are protected,” Coney concludes.