Mobile computing has changed business for the better in recent years, developing new avenues for productivity and...
Employees are putting corporate data on these devices now, and misplacement of these devices is extremely easy.
co-chairman, Cloud Security Alliance Mobile Working Group
But the trend toward on-the-go computing also creates endless risk management challenges, and requires an entire remapping of organization-wide mobile computing security processes. Without such policies in place, even a seemingly small, everyday occurrence like losing a device can have huge consequences.
"One of the biggest threats is just the likelihood of losing the device," said David Lingenfelter, co-chairman of the Cloud Security Alliance's (CSA) Mobile Working Group. "Employees are putting corporate data on these devices now, and misplacement of these devices is extremely easy."
The CSA's Mobile Working Group recently released a report titled Security Guidance for Critical Areas of Mobile Computing, which outlines the current state of mobile device use in the corporate setting and the top mobile computing security threats.
In addition to data loss from misplaced or stolen devices, other big mobile computing security concerns include information-stealing malware, data loss through third-party applications, unsecured network access and insufficient mobile management tools.
With employees increasingly using consumer-targeted platforms such as Android and those from Apple in the business setting, it creates new obstacles for companies from a mobile security standpoint, said Cesare Garlati, co-chairman of the CSA Mobile Working Group.
"These new platforms are consumer platforms; they do not have the characteristics of security and manageability that we are used to," Garlati said. "Corporate IT cannot train help desk support to help people install, maintain and fix issues with a device that corporate doesn't own, and probably doesn't even know where they are."
One issue that does not help the situation is the lack of risk and compliance regulations around mobile device use in the business setting, Garlati said. This lack of direction and the security holes in mobile devices create huge headaches for both consumers and the businesses that use these devices for everyday activities, he added.
"I would really like to see regulators, in general, communicate that, and say that it's not acceptable for ISPs [Internet service providers] to expose the user to these kinds of risks," Garlati said.
The importance of BYOD policy
Until these mobile computing security rules are developed, a solid bring-your-own-device (BYOD) policy should be in place that clearly outlines both employees' and their company's role in protecting corporate information. The policy should define in what situations the company can take control of the device, and how the company should separate corporate information from personal information.
It does not end there. Lingenfelter suggested the BYOD policy have processes in place to completely wipe corporate information from the device in the event of a security incident. The trick is to have tools or mobile device management products that give the company control over the corporate-level applications on the device, without stepping on employees' personal information.
More on mobile computing security and management
Survey: Mobile device security a top IT priority
Mobile device security rewards outweigh risks
"On top of policy, I think you have to have controls in place -- whether it's a mobile device management product or application control -- so the IT team retains some control over what applications get put on the device," Lingenfelter said. "With that centralized control, the IT manager can still remove all the corporate applications without impacting any of the personal stuff."
The privacy issue is not one to be taken lightly when developing a BYOD policy. Companies need to take into consideration, and work around any potential employee privacy violations that could occur from monitoring mobile devices with security in mind.
When employees connect to a corporate network on their personal device, the company most likely wants, and needs, to track and filter information to secure business activity. This creates potential violations of new online privacy rules, like the ones recently implemented in Europe.
The privacy issue is part of what Garlati calls "the dark side of BYOD," whereby companies create liability for themselves by applying outdated, traditional management models for mobile devices that the company does not own.
"Companies need to understand that, in a BYOD scenario, all acceptable-use policies are simply not going to work from a legal standpoint," Garlati said. "Companies should create new policies, and develop specific language that clearly states the things you can and cannot do if you connect your device to the corporate network."