Smartphones slip under corporate security radar

Companies risk losing sensitive data and documents because they are failing to secure the Blackberry devices and mobile phones used by their workforce, a mobile telecoms provider warned this week.

Companies risk losing sensitive data and documents because they are failing to secure the Blackberry devices and mobile phones used by their workforce, a mobile telecoms provider warned this week.

Businesses are neglecting to take even the simplest security precautions, such as using passwords to protect access to corporate e-mails if staff lose their handheld devices, according to telco Orange, which commissioned a survey of 2,650 organisations by analyst firm Quocirca.

The survey found that 40% of businesses did not apply the same degree of security to handheld devices as they did to laptop computers.

Yet nearly 70% of those surveyed said that data falling into the wrong hands through the theft or loss of mobile devices was their most important mobile security concern, ranking above unauthorised network access.

“Increasing numbers of PDAs and advanced mobile phones are being used in business but the measures organisations take to secure the data stored and accessed by these devices is often inadequate,” said Rob Bamford, principal analyst at Quocirca.

The problem is becoming increasingly acute as more firms issue their staff with smartphones capable of accessing the corporate network to retrieve e-mails.

Handheld devices are often purchased by departments responsible for buying mobile phones, rather than the IT department. As a result, handheld devices often fall outside company security policies, according to Clive Richardson, product director at Orange Business Solutions.

“It is very common in the laptop area to have strong security, but it's less common to have policies for handheld devices," he said. "Yet the high-end devices have the power of PCs a couple of years ago."

Quocirca advises businesses to invest in remote deactivation services, which can automatically delete the contents of a mobile device’s memory if it is lost or stolen.

Businesses will also need to take steps to protect their mobile devices from viruses, as mobile phone viruses become more common.

Orange said it was working on technology that would let companies automatically distribute anti-virus software to multiple devices. Mobile phone makers are developing digital certificates to authenticate software downloaded onto mobile phones and prevent viruses from running.

Bamford advised companies to make sure they had security policies in place for staff using mobile devices – and enforced them.

“It's making sure that everyone understands, right from the top of the organisation to the bottom," said Bamford. "Everyone has a responsibility for security. The more mobile a device is, the easier it is to be careless with it or lose it."

* Coventry University Enterprises is rolling out smartphones to 60 of its staff so they can access e-mails and diaries on the move.

The organisation said it was using a range of measures to secure them, including blocking e-mail attachments, encrypting data and insisting on staff using passwords.


Top tips for secure smartphones and PDAs

1 Establish policy
Start with a business policy for mobile access, which feeds into a narrower IT policy  to ensure decisions are aligned to business needs rather than the technology du jour.

2 Support policy and processes with technology
Automated backup and data synchronisation reduces the need for user intervention and the possibility for errors.

3 Build on experience
Policy and processes need to adapt to changing technology, threats and usage patterns of mobile working. 

4 Communicate
Policy must be understood from top to bottom of the organisation and implemented as business processes.

5 Protect the device
Anti-virus, firewall and VPN software usage should not be left to users, but provided as a corporate resource, installed on every suitable mobile device and updated regularly and automatically.

6 Single point of support
Users need a simple method of getting help or advice in the event of a problem.

7 Asset tracking
Log corporate assets given to employees in an asset register, update the register whenever loss, theft or upgrades occur or an asset-holding employee leaves.

8 Amnesty
If unofficial usage is already rife, offer an "amnesty" with guidelines for what devices are acceptable, and how they can be brought into the corporate fold, rather than simply imposing an outright ban. 

9 Keep a sense of perspective
Total security and control of mobile technology is impractical and potentially smothers the productivity gains hoped for. Be pragmatic and weigh up the advantages against the risks and costs.

Source: Quocirca and Orange Business Solutions.

Read more on IT risk management