I've been hearing about and writing about computer security all year long. Heck, I've even spent time exploring the interesting website of the Computer Security Institute, which, as you might expect, calls itself CSI. Recently I've noticed that the conversation is beginning to turn to a long-neglected area: mobile security. It's about time. Don't believe me? Just think about WikiLeaks and its recent threat to expose data from a hard drive "obtained" from a leading American bank.
We're all mobile now, of course, and mobile computing promises big productivity gains, but also comes with security risks that are underestimated or ignored by IT, which is more familiar with office-based firewalls. Is that you? When vital corporate data is transmitted to and stored in mobile devices that can be easily lost, stolen, or hacked, protecting it should be job one.
With 33 percent more smartphones (61 million) at work in the U.S. today, the time has come for IT to take notice and hire mobile security experts. Within a couple of years there will be 1 billion smartphone users worldwide, with a significant percentage of them tapping into corporate data. Such phones go beyond the basics of voice and data to provide a powerful mobile computing platform capable of handling enterprise applications, and those apps need to be locked down.
It's increasingly urgent for IT find qualified experts who can formulate a mobile security strategy that secures both the mobile device and the data on it, controls the communication between the device and the corporate network, and restructures the network to make mobility work, including deploying cloud-based solutions where appropriate. These are big responsibilities, and they will come with big paychecks for the people who can handle them.
Are workers attaching their own personal gadgets to the corporate network? How different is mobile security from PC security? Is mobile malware a big threat? How can we really tell who is accessing the network remotely and what they're looking at? These are just a few of the questions confronting the IT team, which fears unauthorized access to lost or stolen devices, malware, non-compliance to rules (assuming there are rules in the first place), data theft, and hacking.
Luckily, both RIM and Microsoft, the two leading enterprise smartphone OS providers, already have elaborate management platforms, and they're constantly being updated. In mixed environments where users have devices from several vendors, there are security platforms from providers such as Credant Technologies, Good Technology, Trust Digital, and others that can be deployed as well.
What's on the list of security features and techniques you should be studying?
- Password management
- Device access control
- Remote memory wipes
- Virus and malware protection
- Data encryption covering both device memory and storage
- Firewall expansion
That last point, education, is especially interesting because there's a psychological component to all this. Users often perceive their company-supplied smartphone as "my phone," and they don't want IT getting its hands on it or trying to control it remotely. The problem is that they can junk it up with questionable apps and then reconnect to the corporate network, unleashing who knows what kind of malware. Someone could make a great living simply going from one Fortune 500 company to the next delivering hour-long training sessions to heighten awareness.
The mobile workforce needs to understand that its laptops, tablets and BlackBerrys aren't personal playthings and are just as valuable as the servers locked safely downstairs in the data center. They need to know that it's not OK to take a work phone into a coffee shop, hook up to public WiFi, and start downloading next year's budget projections from the server. Maybe you can teach them.
-- Don Willmott