Infosecurity speakers advocate for mobile device security policy

Don't underestimate the importance of a mobile device security policy, agree several CISOs at the 2011 Infosecurity Europe conference.

LONDON -- One of the most-asked questions at Infosecurity Europe this year has been how to manage the ever-growing range of devices users want to attach to the corporate network. Do you allow employees to choose and use their own equipment, or do you try to maintain control through a company-owned estate of mobile devices?

Consumerisation has acted as a catalyst to allow me to drive through other projects, such as network access control and data leak prevention, in order to control the risks.

Mark Brown, CISO, SABMiller

The general consensus is the consumerisation trend is unstoppable, mainly because the biggest demand for such devices tends to come from senior management. When the boss asks IT to connect his new iPad to the system, few security people feel comfortable refusing the request.

So whether it’s iPhones, iPads, Android phones or any other new mobile device, information security professionals are having to find ways to connect them safely, enable email, and possibly even give users access to corporate applications from the device.

Some keynote debates on the subject heard the experiences of several CISOs, whose general advice could be summarised thusly: Go slowly, explain the risks, avoid allowing Android devices at all costs, and make sure you involve HR and legal when framing your mobile device security policy.

Mark Brown, CISO at brewing company SABMiller plc, explained that his senior management had acquired iPhones and iPads and naturally wanted to use them for work as well as play. He decided it was best to turn the problem into an opportunity.

“Consumerisation has acted as a catalyst to allow me to drive through other projects, such as network access control and data leak prevention, in order to control the risks,” Brown said.

Brown advised using the native features of the Apple systems, which offer plenty of good security features in a tightly managed environment -- including the sandboxing of information downloaded by the Apple email client -- so the info could not be stored locally. As part of his policy, too, documents are fingerprinted by the DLP systems, and certain sensitive classes of email can only be delivered to a company-owned device.

However, Brown revealed one senior manager had to be talked out of using an Android phone. “The Android app store is much more open and less well regulated, so we persuaded him to have an iPad instead,” he said.

Chris Parker, CIO at LeasePlan Corporation NV, had a similar tale to tell. Senior managers returned from a company meeting in the US with iPads and wanted to use them for work. It made good sense to set about complying with their wishes. “When the execs are happy, it makes it easier to find funding for the next project,” he said.

As LeasePlan is a user of virtual desktop software, Parker said, it was easy to deliver corporate systems to the iPad and allow users to have their Windows desktop on the mobile device if they wanted.

While technical solutions were straightforward, they said it took a lot of work to clarify policies and ownership of data. Brown said he engaged both his HR and legal departments to frame a new mobile-usage policy that made it clear to users that company data actually belonged to the company. If users chose to leave the company, or misused sensitive information, then the company had the right to remote-wipe their devices. Any staff member wanting to use his or her own device was asked to sign a document agreeing to the terms of the policy.

By signing, users also agreed to a strong password policy and to having information encrypted.

Brown said other issues to consider are the tax implications if the company funds all or part of the cost of the device, and also the need to train the company help desk on how to support the new devices. SABMiller had to buy iPads for the help desk staff and send them on training courses.

“Our service desk previously only understood Wintel systems, so we had to build up support, because the end users will always see [the helpdesk] as the first point of contact when they have a problem, even though they own the device,” Brown said.

Elsewhere in the show, two companies unveiled new surveys looking at the security of personal phones and laptops.

Security vendor Sophos plc polled 1,075 British adults in March to see whether they used their phones for work. More than a quarter (28%) said they were actively encouraged by their employers to use their personal devices at work, and 25% only had one phone for both work and personal use. One third said their company had no policy regarding use of personal phones and laptops for work, and another third of respondents did not know if a policy existed at their companies. Only 13% felt confident that information on their laptop or phone would be safe if they lost the device.

Another survey by ESET UK Ltd asked 2,000 consumers about viruses on smartphones, and found that 6% had installed antivirus software on their devices, although 36% were aware that such virus threats existed. Despite that hypothetical awareness, 58% said they opened email attachments on the phone, which could open them up to viruses, and 21% said they used their devices for online banking.

Read more on Security policy and user awareness