Securely mobile and still working

Take risks and reap rewards with secure mobility, argues Scott Nursten

Mobility is becoming ever more important to improve employee productivity. It can also help organisations retain staff and meet regulatory requirements for flexible employment. But merely giving staff a smartphone or laptop is not enough.

Effective remote working requires fast, easy and ubiquitous access to a secure network and key corporate data. Staff must be working smarter rather than harder.

Organisations are perhaps tempted to take short cuts to secure mobility, taking a softer view of the inherent risks associated with allowing sensitive data to leave the secure confines of the corporate network.

Indeed, many are happily handing out smartphones yet forbidding staff to use laptops outside the building for fear of theft and subsequent negative publicity.

Smartphones, while convenient, are one of the biggest risks to corporate security. Phones are typically used, and misused, in myriad locations – from pubs to holiday homes – where they are often lost or stolen.

Using these phones to access the corporate network is highly risky. When accessing the phone through a physical port, standard passwords and PINs can be bypassed and all data on the phone accessed.

Attempts to secure these phones are highly proprietary and device-specific, creating an administrative nightmare in organisations that may have multiple models of handset to manage.

The core network itself may be vulnerable. Recent news stories about the ease with which hackers in the US stole millions of consumer credit card details simply by accessing unsecured wireless networks illustrate this danger.

If the corporate network is unsecured and data is lost, the corporation is directly responsible and compensation can cost millions of pounds.

Yet businesses, while very concerned about employing the most advanced technology for the convenient customer service, such as online payments and web-based kiosks in store, are still reluctant to invest in the most effective security tools to protect their own servers and networks.

This is clearly a false economy. For a business to run at maximum capacity, security has to be inherent in every aspect of the corporate IT infrastructure, from servers to end points.

Organisations also enable staff to access email via standard web portals without implementing any security. This attitude risks a loss of critical data and damage to business through industrial espionage or high profile media exposure.

It is only by having a tight handle on each aspect of the network that businesses can benefit from staff mobility.

There are, obviously, significant risks associated with allowing sensitive data to leave the confines of the secure corporate network.

Yet the correct deployment of technology and the implementation of effective security policies can create a secure mobile workforce that delivers tangible competitive advantage.

There is little point, for example, in providing users with technology that is slow when used remotely, or requires them to update CRM systems at a later date rather than in real time.

This approach takes as it gives and will lead to apathy at best, resentment at worst. A good flexible working strategy can improve staff morale and customer relationships.

Organisations need to understand how mobile technologies will be used and what risks will be created.

If users are accessing corporate data via standard 3G networks, wi-fi or even customer networks, it is essential to understand the associated risks, from data leakage to identity management and information lifecycle management.

How are users achieving secure access to the network? Is the device trusted and does it have fully patched antivirus software? Who is using the device?

Organisations also need to understand the implications for information lifecycle management.

What data is being accessed remotely, by whom, and what are the user privileges? Who has responsibility for creating, updating and deleting information?

Not every organisation will need to address every component of this security mix – with the notable exception of financial institutions.

For most, once an organisation has defined – preferably through the users – how mobile technologies can be used, it is fairly straightforward to define policies and adopt proven, mature security tools.

A lost laptop, for example, does not need to be a problem. Hard drives can be encrypted and password software used to remove the danger of keyboard capture.

Simple ways exist to secure remote devices – other than smartphones – that enable organisations to provide risk-free remote access to the corporate network any time or anywhere.

Ensure users are involved in every aspect of planning and defining the mobile working strategy, especially security. If users are not participating actively in the security policy it is useless. Staff need to feel trusted and they also need to trust the mobile technology they use.

If a business actively engages with users in creating the mobile strategy, staff take security concerns more seriously. Imposing draconian security policies on users will only create resentment.

It is by entrusting staff with intellectual property and reinforcing an understanding of their role as trusted business enablers that an organisation can foster the corporate loyalty that minimises its security risk.

The drive and need for mobile working has never been stronger. Yet as the economic downturn continues, organisations may cut back on mobility investment.

The idea of investing in the network might seem daunting when margins are reduced, but in the interest of working smarter not harder it’s imperative to keep staff on the move.

Scott Nursten is managing director at s2s