Increased mobility should be secured
A rise in mobile access to IT systems should lead to an increase in the levels of security to counter growing dangers. But this is not always the case, writes Bob Tarzey
A rise in mobile access to IT systems should lead to an increase in the levels of security to counter growing dangers. But this is not always the case, writes Bob Tarzey
Increasing employee mobility means access to IT is spreading further away from the physical location of a business’s computers. But flexibility in working practices needs to be balanced against the increased security risks. Too many business managers are complacent and could do with a wake-up call.
In a recent Quocirca survey of more than 2,000 businesses, more than 70 per cent of those questioned listed workplace flexibility as driving their interest in mobile technology. This rose to 80 per cent for respondents who considered themselves committed to the use of mobile technologies. These committed leaders were also ahead of the game in enforcing security around the use of the technology.
However, even among those committed to the use of mobile technology, there was a worrying lack of enforcement of any mobile security policy. Instead there is often a complete lack of it. For some, this is because it is buried in wider IT security policies. But for others it is down to complacency. Many managers were prepared to give their employees the benefit of the doubt and assume that they are using mobile access to IT responsibly.
This is bizarre in a world where the loss of laptops, smartphones and PDAs is commonplace. IT managers are more aware of the issues than business managers. This means smaller businesses will often be the most vulnerable, because IT management is often carried out by a business manager whose priorities lie elsewhere. Many of these smaller businesses are reliant on VARs to advise them. So what should the advice be with regard to a mobile security policy?
All businesses should have a clear mobile security policy in place, even if it is just to prohibit unauthorised use of devices accessing a business’s IT resources. For those that adopt a more open approach, it is as much about nurturing good practice through education as it is about investment in security technology that goes beyond the basic products that enable mobile data access.
The mobile security policy also needs to apply to all. Managers often reward themselves with mobile tools ahead of others, so they need to lead by example. It is no use admonishing an employee for the loss of sensitive corporate data if the chief executive is going to be in the headlines the following week for a similar offence.
Mobile security needs to be practical and in the interests of users. There is no point in locking systems down so tightly that access becomes too difficult. Having said that, the degree of access required will vary widely. A field service engineer will need access to a different set of data to a sales executive. Senior management will often demand wide ranging access, but even this needs to be kept in check.
Policies need to be communicated effectively and regularly, and enforcement should be audited. It is all very well to stipulate that mobile devices should be password-protected, but unless employees are constantly reminded of this, many will lapse into bad practice.
Mobile access to data is a great enabler, but businesses should not lose sight of its darker side. The good news is that the more familiar they become with the technology, the savvier they become about security. c
Quocirca’s Mobile Security and Responsibility is free to CRN readers at www.quocirca.com/report_mobsec.htm