The desire to cultivate a mobile workforce has appealed to many businesses due to the increased productivity and flexibility they bring to an environment where watching the bottom line has become an integral element of every strategic roadmap. According to a recent survey from the Economist Intelligence Unit last year, three quarters of 1,500 people polled around the world said that mobile devices were very important to the success of their job, helping to increase their efficiency and reduce response time.
However, this increase in take up of mobile devices and encouragement by businesses to allow employees to communicate 'anytime/anywhere' also has far-reaching implications for security. Once a device is beyond the corporate firewall, how do you manage it? How do you protect it? And whose responsibility is it anyway?
The speed of malicious attacks is becoming ever shorter with each new device invention. It took ten years for security issues to hit the desktop. This was shortened to three years for the notebook. Now, within a year of a new handheld device appearing, a virus has been invented to hit it. In short, the wave of attacks is increasing in volume and frequency and existing defences are not sufficient to tackle the problem.
Until recently, the number of electronic connections into an organization was quite limited, and it was enough to deploy perimeter defences such as firewalls to prevent would-be intruders from accessing the corporate network. But with today's highly mobile workforce, there are now many alternate connection points into the internal network. Laptops are frequently removed from the office environment and attached to the internet and other public and private networks, where they risk attracting malware. With the new 'thumb drives' and 'memory sticks' for USB ports, any number of trojans, viruses, key-loggers, dialers and other spyware can be inadvertently or maliciously introduced into a business network.
All of these risks are making IT organizations realize that the notion of "perimeter" needs to be redefined. To be effective, enterprise security must now protect the individual computing devices outside of the business environment. It's not enough to just write an IT policy and hope that employees observe the fact that they are obliged to update their software and get the latest virus patches downloaded onto their laptops. Each individual device needs to benefit from network security features such as vulnerability detection, spyware detection and removal, network access control and application blocking.
In order to make this possible, it's necessary to take the problem one step further back. To secure every laptop, PDA and Blackberry, you need to know how many you have, who's got them and what policies you need to protect them. Regular inventory control is vital to support any security policy. So is auto discovery of malicious software, standardization of platforms and loads, regular threat analysis, as well as patch management for rectifying things when malicious software has been able to gain access to the network.
In addition, firewall collapse to specific devices deemed a security threat should ensure that no mobile device can access the contents of the network until is clean and safe. The question is, how is it possible to address all of these things across every single mobile device?
Up until now this has been a difficult question to answer. Perfect device level security is, at the current time, impossible. The ultimate goal is to develop a security policy for every single data file, to ensure that the information is protected, regardless of which device it is on, so that data can be locked in the same way that computing environments can be locked, However, that day is not yet here, so in the meantime, everything possible must be done to ensure that devices are automatically protected. The key to doing this is combining systems management with security to enable organizations to take active control of device-level configuration security, control device access and establish automated policies to maintain a secure computing environment. One should not and cannot exist without the other.
Herein lies an opportunity for IT managers to seize the security problem by the scruff of the neck and tackle it head on. The mobile security issue is on a large enough scale, with sufficiently far-reaching consequences to be addressed and soon. The technology is there for a single, automated console to support the IT department in the management of these devices. The threat is there and growing. The only thing that is not there is an excuse not to act.
There is one final point to be observed – device manufacturers themselves have a responsibility to tackle the growing security threat on mobile devices. Before long, built-in security on your Blackberry or your mobile will become a purchase criteria. The onus is therefore on the manufacturers to recognize and address the problem to make the life of the IT manager easier and the job of the hackers harder.
The security nightmare is that cyber terrorists will strengthen their reign. The security opportunity is that the mobile issue will force organizations to take a long, hard look at their ability to protect their organization as a whole – from the salesman with the PDA to the financial director at his desktop. Only by recognising and embracing the fact that mobile security cannot be separated from the wider systems management issue will internal and external threats stand a proper chance of being thwarted before they actually cause any damage.
The author is VP at LANDesk Software