Article Options
Enterprise Security Trends Blog | HP Blogs
Keep up with the latest cyber, cosumerisation, collaboration and cloud enterprise security trends from the team of HP information security professionals.

Enterprise Mobile Security - what are the risks of consumerisation?

Info_Security| July 5, 2011
1 Comments
0

by Paul Schwarzenberger, CISSP, CLAS

 

Here at HP we have noticed that many of our customers are embracing the concept of “consumerisation” – the desire of employees at all levels to use their personal mobile devices such as the iPhone, iPad, and Android phones, to connect to corporate systems such as e-mail, calendar, contacts and the intranet.

 

Consumerisation places the IT Director or Chief Security Officer in a challenging position – on the one hand, use of personal devices may increase productivity, mobility, employee satisfaction, and possibly even reduce cost for the organisation. On the other hand, placing corporate data on to a personal device could significantly increase the risk to the organisation of data loss, regulatory infringement and potential reputational damage.

 

How significant are the risks of allowing widespread use of personal mobile devices in an organisation? To help assess the overall risk, here are some examples of potential methods by which use of a personal smartphone could result in loss of an organisation’s confidential information:

 

  • Viruses – while not as common as for laptops, there have been viruses developed to target smartphones
  • Malicious apps – earlier in 2011, Google identified 58 apps within the Android MarketPlace as malicious and removed them. A malicious app could record voice calls, take screenshots or act as a keylogger and then upload information to a server on the Internet
  • Synchronisation – when a smartphone is connected to a laptop or desktop via a USB cable, files are copied to and from the mobile device. This could lead either to data loss, or to a virus being introduced to the mobile from a home computer
  • Productivity apps – the widespread popularity of apps such as GoodReader and DropBox mean that a well intentioned employee can easily place confidential information on unknown, uncontrolled servers on the Internet
  • Encryption – many mobile devices do not have the capability of encryption. Where encryption has been implemented within a mobile operating system, in some cases there have been successful attacks to bypass the encryption password

From these examples, it may seem that the best approach for the IT Director or Chief Security Officer is to “just say no” to the requests coming in from employees to use personal devices. Or, to avoid thinking too much about the issue! But the former could result in a loss of productivity, and employee dissatisfaction. While the latter could lead to significant data loss, damage to the company’s reputation of even large fines in the case of a regulatory infringement.

 

HP  works with organisations to help them assess the value of their information, the regulatory requirements applicable to their sector, understand the potential risks, and examine options for technical solutions to minimise and reduce the risks.  To support this, HP has developed an Enterprise Mobile Security architecture – a model which identifies the various security measures which can be taken to reduce risks to corporate data.

Significant elements of the Enterprise Mobile Security Architecture include:

 

  • Business applications – understand which business apps are required – is it just e-mail, or are their other applications as well
  • Secure Container – separation of corporate data from personal data on the device
  • Encryption – ensure that either the whole device, or just the corporate data is protected by encryption both for data at rest and data in transit
  • Mobile Device Security – enforce the use of a password on the device, whitelist or blacklist apps, block jailbroken devices, prevent screen capture, ensure updates
  • Device Management – monitor, audit, reporting, remote wipe of device, remote wipe of corporate data, remote unlock

A significant number of organisations have already implemented enterprise mobile security solutions, to allow the use of personal mobile devices, while retaining control of personal data. Examples can be found in many sectors ranging from the financial and legal sectors, to consultancy organisations and some parts of the public sector.

 

Many other organisations are now at the point where they are now considering the best approach to take to solve the challenge of consumerisation.

 

Check out our 7 steps to plan for consumerisation.

 

Learn more about information security from HP.

Tags: consumerisaton| Consumerization| device management| Enterprise| mobile| View All (6)
Labels: Enterprise security| information security
Labels:
Comments
Bee(anon) | ‎07-02-2012 08:15 PM
Options

Allowing employees to access company records and accounts through their personal mobile devices can be risky. Organizations must stay current on mobile device security options to keep themselves protected. This blog included many ideas and tips for security that I found very helpful.

0
Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the community guidelines.
Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
 
Search
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
About the Author
  • A business first, senior executive, with over 20 years of hands on experience in defending banks, governments and corporations against cyberwarfare. My career in security started when I was employed to crack a secure system, which had locked down the boot process, whitelisting of applications and encrypted disks. I linked TeamOffice (an ICL email and collaboration system) with Microsoft Word to send an email which allowed me to do anything the person reading the email could do and send the results back to me, all without there knowledge. Having proved this vulnerability, I worked with Peter Simpson to create Defuse, a tool that blocked inappropriate actions. This successfully blocked Winword Concept, the first known malicous code in the wild. From these begginings I have investigated all aspects of security to provide an holistic approach to security as a business enabler and currently advising organisations on the suitability of the cloud to their needs.
Follow Us