The increase in mobile working means data security issues are growing in both
scale and complexity. Although the initial costs of deploying technology to
support an increasingly mobile workforce are actually falling, some companies
are making very costly oversights in not protecting their corporate information
from the increased risk of exposure.
The wide range of devices and networks being used to accommodate a flexible
workforce is making matters even more complicated. With many workers now using
smartphones, Blackberrys, laptops and other mobile devices to access their
office email and IT systems over disparate public cellular, Wi-Fi and broadband
networks, protecting organisations from the potential risk of exposure is vital.
Most companies are increasing their spend on mobile working, but research
from Quocirca finds that the funds only come from planned increases in mobile
services budgets in fewer than 40% of cases.
For most, unplanned increases in mobile budgets or cuts elsewhere are the
norm. While mobile phone, data and broadband access tariffs are becoming more
competitive, usage is rising and the cost of making out-of-office working secure
is not being addressed early enough in the planning stage.
Security is a prime concern for anyone considering mobile technology, but it
need not be a deal breaker, providing sufficient thought is given to the needs
and vulnerabilities of the business. Although the cost of mobile hardware is
falling, and can normally be covered by a suitable insurance policy, corporate
data assets are at far greater risk.
Take ‘IT’ seriously
While there are numerous ways to offer technical protection to mobile
devices, the data they hold and their applications for example, through
antivirus software, remote kill and wipe, or regular synchronisation there is
still a risk that the individual using these devices could be negligent in his
or her responsibility.
Getting users involved, committed and taking responsibility when carrying and
using the company’s assets helps to offset the most important mobile security
issues data falling into the wrong hands or being lost through device theft or
Involving users at the start is not only a security benefit, it allows a
better understanding of whether particular types of mobile technology enhance
the working processes and deliver productivity gains. Not only can users see
where the niggling inefficiencies are, but also any eventual productivity gain
is dependent on their attitude and goodwill. Win over their active involvement
early and mobility projects should run more smoothly.
Managers also need to consider their own attitudes. The first requirement is
to recognise the extent of the problem. Quocirca research reveals that many
business managers underestimate the extent of mobile security challenges.
Two-thirds believe users have a responsible attitude, and one in five managers
would not make the use of a PIN or password for mobile device protection
But this lax approach is not shared by those in IT responsible for managing
mobile devices, where almost half characterise mobile users as “irresponsible”,
and anecdotal comments tend to be even less generous. Past research suggests
that, in general, handheld mobile device security is treated less seriously than
that of laptops, and is often left in the hands of the users.
IT managers should invest in tools that add layers of protection to mobile
data and devices. These need to be assessed and, where useful, used to reduce
risk. Overall, though, it is important to realise that absolute security is
impossible, and risk has to be managed through commercial as well as technical
mechanisms, such as insurance.
A good starting point is to ensure that an overarching security policy is put
in place to cover all aspects of mobile technology both that which is
officially deployed and that which is not. This has to recognise the different
levels of sensitivity to data: some information is trivial and does not need
extensive protection, while other data may be highly confidential, with serious
legal and financial implications if compromised.
Security policies and rules have to gel. Too strong a policy and any benefits
are lost; too weak a policy and the repercussions can be seen in the media
stories of organisations whose employees have lost laptops that hold sensitive
corporate data, or have had other electronic devices stolen.
It is also important to ensure that users are well versed in proper and safe
mobile working, and that they have the tools and direct support channels to fix
problems as they occur. Good communication is vital and while intranets and
emails are simply default ways to push out information, it is better to fully
engage everyone with two-way communication through training, employee induction
and management support.
Too often the investment required to ensure mobile security is viewed as a
technical decision, but if left to the technologists alone it will often result
in a solution that is too involved and complex. A pragmatic approach needs to be
taken, based on the business needs, but significant efforts must be put in place
to ensure that the weakest links employees learn to be more mobile-aware.
This requires investment in tools, training and business processes, but since
many companies are recognising significant improvements in productivity,
responsiveness and customer and employee satisfaction from the deployment of
mobile technologies, there are valuable returns.
In order to ensure these are achieved, companies must treat mobile working
like any other business investment: they must plan ahead, execute carefully and
Effective mobile deployment
- Start with business needs, not technology availability
- Define a mobile security policy based on business needs
- Generate user buy-in and involvement from day one
- Align tools to user needs, not the reverse
- Test the technology; pilot the changes in working practices
- Security needs to support not strangle users; after all, productivity is the
- Anticipate the complexity of more users and more technology choices
- Stay flexible and continue being pragmatic post-deployment
Rob Bamforth is principal analyst at Quocirca
Driving opportunity for all and empowering businesses for success are the key themes for the Sage Summit UK this year, which takes place on 5-6 April
The partnership will see PwC have 'physical presence' at CodeBase in Edinburgh
Unincorporated businesses under the VAT threshold given an extra year to prepare before MTD becomes mandatory
Simon Wright of CareersinAudit.com discusses how an effective cyber defence force is critical to businesses worldwide and how internal auditors can make the transition to a new career in cyber security