Infosec 2011: The security advantages and pitfalls of personal mobile devices in the workplaceDate: Apr 20, 2011
Allowing employees to use personal mobile devices for work purposes can increase productivity and improve security measures. But managing users' mobile devices can present security risks too.
A recent survey of 1075 UK employees by TNS Omnibus for security firm, Sophos, shows 30% said their company lacks a security policy to protect information on personal devices used for work purposes. A total of 50% were concerned personal information would be unsecure if they lost their mobile device.
James Lyne (pictured), director of technology strategy at Sophos, said, despite the business benefits of using mobile devices, employees are vulnerable to web-based attacks and loss of personal and corporate data.
"Almost a quarter of those surveyed admitted to having lost a mobile, and if these devices do not have in-built security features enabled such as passcode protection and encryption, businesses are effectively presenting a vastly increased attack surface to potential cyber criminals," said Lyne.
Speaking at a panel session at the 2011 Infosecurity conference in London, Gary Cheetham, chief information security officer at NFU Mutual, says the recent RSA token breach incident suggests mobile devices could be used for two-factor authentication to improve security measures.
"But this pushes the risk elsewhere to the security of the devices. By improving authentication, the threat environment has changed," he said.
He adds, "The movement of devices from consumer to corporate environment means usage must provide right levels of security. We've not got any choice, it's the way it's got to go."
Security benefits of mobile devices
Louis Gamon, information security officer at John Lewis Partnership, insists devices other than Research in Motion's Blackberry smartphones are not safe even for personal use - let alone in a corporate environment.
"Currently, Android and other mobiles are not secure enough for personal use even. A massive amount of information is trusted to these devices," said Gamon.
But Michael Everall, chief information security officer at Lehman Brothers Holdings, says organisations can no longer just use RIM's Blackberry devices. He thinks other devices, such as smartphones running Google's Android operating system and Apple iPhones and iPads, can be used as long as users accept liability for the loss of company data, as well as their own.
"It's not the device that's the issue. The device can enable [employees] to do more if the safety of data is managed," said Everall.
Users must accept data loss liability
"We need to look past the hardware to the content as well as guidelines and policies around data," said Everall.
"More applications are available for encryption. There are kill commands to wipe data remotely. But users could still lose it [their mobile device]," he continues.
Everall says ownership of risk is crucial, even if everything else is outsourced. "If you're using a personal device with company data on it, you still need to take responsibility and need to manage it."
He adds that users must accept companies will need "wipe at will" any device accessing corporate data as a security measure. Employees need to back up their personal information.
Ways of encrypting data
But Andrew Turner, IT security officer and information governance lead at NHS Dumfries and Galloway, says the tools available for PC devices for data management are still more limited for mobile devices.
"There are few tools available for encryption. We need to construct apps that don't leave data on the device so we can use them [mobile devices] and be aware of pitfalls."
Turner outlines a new system of encrypting data on mobile devices currently being used within NHS Dumfries and Galloway hospitals. Nurses use mobile devices to fill out forms with patient information.
"The information is just co-ordinates on paper, which can be encrypted as dots. Through the back-up systems, other colleagues can access the information. Mobile computing is used to enhance the systems. But there's no data to lose," said Turner.
Turner added, "The technology isn't the problem, it's the people."
The consumerisation of IT has forced IT departments to manage an array of mobile devices. As IT security professionals juggle the security pitfalls of allowing employees to access company data via their personal mobile devices with the productivity advantages, user education is becoming more important to raise awareness about protecting company data as well as personal information.
Nigel Stanley, practice lead for security at Bloor Research talks to ComputerWeekly.com’s Jenny Williams about the security pitfalls and advantages of allowing employees to use personal devices in the workplace. While personal smartphones can introduce greater two-factor authentication security measures as well as increasing productivity, data loss risks and liability issues can outweigh the benefits.