There was once a time when you could leave the office and your data was kept safe behind locked doors, firewalls and endpoint security, while computers were protected with anti-virus software and the latest security patches. This is no longer the case. As businesses increasingly bring in mobile devices for their staff, data can no longer be pinpointed to the office but instead is now in the open, following employees wherever they go.
In reality, it is likely that employees do not even realize they are carrying important information around with them. However, if they are taking their business smartphones everywhere they go, whether on a train, in a restaurant or taken on a night out, then they likely are also carrying around sensitive enterprise information. With the number of businesses currently deploying mobile devices to members of staff, this is a risk that cannot be ignored.
Our recent State of Mobility survey, which polled over 6,000 C-suite executives, highlighted an uptake in mobile applications across organizations, increasing the need to up security controls. The report also saw IT admitting its hands are full managing mobile, with 48% saying it is somewhat to extremely challenging and that an increasing number of staff are becoming involved in mobility IT. With figures so high, banning mobile computing devices from the corporate network isn’t going to work – such a move would drive mobile computing ‘under the table’, leaving IT staff in the dark. Also, complicating matters is that employees are demanding support for an increasingly wide array of mobile devices and platforms.
Instead, enterprises must develop unobtrusive ways to secure their IT environment without significantly compromising the real productivity gains associated with mobile computing. It’s vital that businesses extend their mobile security strategy to include mobile-specific encryption policies. By securing the data itself, the risk of losing sensitive data posed by a lost or stolen device can be further reduced. It is important to understand how encryption makes this possible.
For example, if an attacker manages to get his or her hands on an employee’s smartphone and then gets past the phone’s screen lock and password – if there’s even one in place – they now have access to a world of information. With a simple touch of the email icon, they have unlimited access to the employee’s email account and all the sensitive customer data and sales forecasts contained within. This often occurs before the employee even knows it’s gone, and long before they are able to report the loss.
Nevertheless, businesses are able to stop this from happening just be employing encryption technology on all emails containing potentially sensitive information. By doing this, the messages in the employee’s inbox stay encrypted, and the attacker cannot access any of the sensitive information. The data itself has its own security measures, and can’t be accessed by unauthorized personnel who have improper possession of the mobile device.
| "The all-or-nothing approach to security is too inflexible for mobile environments" |
When implementing encryption to secure data being transmitted to and resting on mobile devices, there are several steps to consider. First, you need to ensure mobile access to encrypted data is independent of network availability. Accessing encrypted data on mobile devices can be a bit tricky if it is not done right. Because mobile devices are designed to be used on-the-go, the employee might not always have network connectivity. Therefore, it’s important to choose an encryption solution that can be utilized offline.
The best approach to solving this issue is using an encryption application that runs natively on the mobile device’s operating system. This ensures that the message stays protected from the time it’s sent until the time it’s received. Because the application performs the encryption, it can operate even in offline conditions, thus ensuring that information is always available when the user needs it, regardless of network status.
Second, it is vital to enable users to use their devices the way they want, under conditions that IT supports. Some approaches to information protection place severe limitations on how it can be used. For example, one approach is to use encryption in a manner that is policy-driven and granular enough to work with existing applications under the proper conditions. The all-or-nothing approach to security is too inflexible for mobile environments. What is needed is to blend encryption and data protection together with the user interface and mobile applications.
With the dramatic increase in smart mobile device use, it is impossible for organizations to know where potentially sensitive data will travel. Employing data encryption on mobile devices, however, brings a new level of security to sensitive business information, allowing IT to provide support while enabling users to work with as few restrictions on their productivity as possible. Employees are happy to have the device of their choice and administrators can rest easy: win-win.
| Symantec is exhibiting at Infosecurity Europe 2012, the No. 1 industry event in Europe held on 24–26 April 2012 at Earl’s Court, London. The event provides an unrivalled free education program, exhibitors showcasing new and emerging technologies, and offers practical and professional expertise. Visit the Infosecurity Europe website for further information. |
Siân John, CISM, CISSP, is a distinguished engineer and security strategist for the UK and Ireland at Symantec. As such, she serves as the security CTO for the UK and Ireland enterprise business, engaging with senior individuals from customer organizations and feeding back their requirements to Symantec’s security business unit. Siân leads Symantec’s engagement with large customers, working with contacts at a senior level to understand their business priorities, and providing guidance on security and risk management issues. Siân has been a part of the IT industry for over 18 years, both as a security architect and as an independent security consultant, working on projects to map customers’ business requirements to security solutions.