There is a growing adoption of mobile devices to access corporate services, view corporate data and conduct business. The significant adoption of mobile applications demonstrates remarkable confidence, by organisations, in the ability for mobility to deliver value. According to the 2012 Symantec State of Mobility survey, a third of Indian respondents allow employees to use mobile devices for business use without restrictions.
However, corporate nervousness about mobile computing is understandable. CIOs are facing a trial by fire. According to the same survey, mobility ranked as the leading IT risk among organisations, being cited as one of the top three risk areas by 40% of respondents.
While the mass adoption of both consumer and managed mobile devices in the enterprise has increased employee productivity, it has also exposed the enterprise to new security risks. While the most popular mobile platforms in use today were designed with security in mindand certainly raise the bar compared to traditional PC-based computing platformsthey may still be insufficient for protecting the enterprise assets that regularly find their way onto these devices.
Many of these devices are not controlled by the administrator, meaning that sensitive enterprise data is not subject to the enterprises existing compliance, security, and data loss prevention policies. The main concerns include device loss, data leakage, unauthorised access to corporate resources and malware infection. According to Symantecs latest Internet Security Threat Report, mobile vulnerabilities increased by 93% in 2011 and that threats targeting the Android operating system are on the rise. Additionally, Symantecs State of Mobility pegs the cost of mobile incidents for India enterprises at R42.32 lakh.
To complicate matters, todays mobile devices are not islands; they also connect to an entire ecosystem of supporting cloud and desktop-based services. The typical smartphone synchronises with at least one public cloud-based service that is outside enterprise control. At the same time, many users also directly synchronise mobile devices with home computers. In both scenarios, key enterprise assets may be stored in any number of insecure locations outside the direct purview of the enterprise.
With that said, when properly deployed, mobile platforms allow users to simultaneously synchronise their devices with both private and enterprise cloud services without risking data exposure. However, these services may be easily abused by employees, resulting in the exposure of enterprise data on both unsanctioned employee devices as well as in the private cloud.
Todays mobile devices are a mixed bag. Enterprise mobility delivers on productivity because employees know how to use, and enjoy using, their own devices. It can also reduce capital expenditure as businesses can leverage devices employees may already be paying for. In addition, employees often take better care of devices they have selected and purchased. However, while mobile devices promise to greatly improve productivity, they also introduce a number of new risks that must be managed by enterprises.
It is imperative that enterprises seek to understand the entire ecosystem the devices used by their employees participate in, and then formulate effective device security strategies to mitigate the risk these devices create. Any mobile strategy should take into consideration the following best practice recommendations:
Enable broadly: To get the most from mobile advances, plan for line-of-business mobile applications that have mainstream use. Set clear and measurable objectives for productivity gain, employee satisfaction and customer services.
Think strategically: Explore all of the mobile opportunities that can be introduced and understand the risks and threats that need to be mitigated. As you plan, take a cross-functional approach to securing sensitive data. Ensure your mobile strategy is future-proof and accounts for rapid changes in usage, increasing number of devices and emerging platforms.
Manage efficiently: The management of mobile devices should be integrated into the overall IT management framework and administered in the same wayideally using compatible solutions and unified policies. This creates operational efficiencies and lowers the total cost of ownership.
Enforce appropriately: As more employees connect personal devices to the corporate network, organisations need to modify acceptable usage policies to accommodate both corporate-owned and personally-owned devices. Management and security levers will need to differ based on ownership of the device and the associated controls that the organisation requires. Employees will continue to add devices to the corporate network so organisations must plan for this legally, operationally and culturally.
Secure comprehensively: Focus on the information and where it is viewed, transmitted and stored. Integrating with existing data loss prevention, encryption and authentication policies will ensure consistent corporate and regulatory compliance.
Consider the cloud: Not only will employees expect to access cloud services from mobile devices, but be aware that the success of the mobile world is dependent on cloud services to store and access information.
The writer is VP & MD, India product operations, Symantec