Controlling mobile access and security

Controlling mobile access and security
Ten top tips
By Rob Bamforth, principal analyst, service provision and mobility, Quocirca

Many workers are now using smartphones, laptops, wireless PDAs and a whole range of mobile devices to access their office email and other IT systems. While this is seen pretty much everywhere, there are certain challenges in Eastern European countries which create particular reasons why mobile access is of interest.
For one, employees in many roles are already mobile and need access to IT when out of the office or away from their desk. They may be travelling internationally or in countries where the availability of a suitable connection is difficult to find if the telecom infrastructure is patchy. Mobile access tends to be more widely available.
Another reason is new mobility, where it is more cost effective and flexible for businesses in emerging economies or industries to allow employees remote or mobile access from their home, diverse office locations, or even public places than try to centralise them in a fixed office location.
Mobile workers need remote access wherever they are and must be able to adapt to whatever infrastructure is available. This brings a whole new set of challenges to any business that has employees using mobile devices, whether provided by the company or brought in by the users themselves. In essence, these devices become part of the extended network and communications environment of a company and therefore, need to be carefully controlled. Why? The worst case scenario is that mobile devices introduce security risks into a company’s systems.
The first stage is to recognise the extent of the problem. Research by Quocirca, shows an underestimation of the mobile security challenge by business managers. Most recognise the importance of a mobile security policy, but are more trusting of mobile users overall. Two thirds believe users have a responsible attitude, and one in five managers would not mandate the use of a PIN or password for mobile device protection.
This optimism is not shared by those in IT responsible for managing mobile devices, where almost half characterise mobile users as ‘irresponsible’, and anecdotal comments tend to be even less generous. Quocirca research has in the past identified that in general, handheld mobile device security is treated less seriously than that of laptops, and is often left in the hands of the users. This is a poor strategy if mobile users are as careless as many mangers believe.
So who should take responsible for keeping corporate mobile devices and wireless access secure?
Corporate IT services are becoming more sophisticated and adding mobility further complicates matters for the beleaguered IT manager. While it is unfair to expect users to understand the details of how everything works and how to keep it safe from hackers, phishers, viruses, Trojans and other forms of malcontents and malware, they do need to adopt a responsible attitude to the items in their care. Our research shows it is rarely an absence of skills or awareness, but the attitude of users that makes the biggest difference to mobile security.
But this does in part depend on the right attitude and examples being set by those in authority, in particular senior and line management. Corporate standards where they exist should be seen to apply equally and evenly, and managers should lead by example. They should also be seen to enforce current policy, and when the policy is flouted there should be clear consequences. For deterrence to work there needs to be an appropriate response.
Taking responsibility is always hard to do, and it is generally far easier in modern society to rely on or try to blame someone else, especially when national authorities or even governments set poor examples. Many believe that they are safe drivers and resist being caught speeding by law enforcement, yet the same people would expect to be kept safe and secure from other’s poor driving by the same officers. Who should save the environment – government mandates and energy policies or individuals with low energy bulbs and highly efficient cars?
In reality responsibility is shared, often unevenly, but the authority or organisation with power as well as the individual employee have to play their part. The responsibility for managing mobile devices may ultimately lie with the IT department, but each employee has to understand the part they have to play, and this means clear and well understood interpersonal communications has to precede mobile technology communication.

Quocirca has carried out considerable research in the area of mobile communications and works closely with leading mobile network providers. This checklist covers the main issues that business and IT managers should take into account when trying to control the plethora of mobile information and devices able to access a company’s systems, whether a large enterprise or growing business.

1 Establish the business policy
Start with a business policy for mobile access – who can have access to what systems – email only, sales info, stock info, HR records? Company systems only or the worldwide web? Read-only or able to update? From where: home, when mobile, when in other offices? With what sort of devices, and whether employee’s own or company-owned? This will then feed into a narrower IT policy, such as what sort of operating system the devices must work on, or whether there is a need for real-time access to systems.

2 Communicate
The mobile access policy must be understood from the top to the bottom of the organisation and a part of the core business processes, with users receiving training, reinforced regularly. Users must understand company policy, including expected levels of care and penalties for misuse.

3 Build on experience
Mobile access will change the way people work, and this might cause a change in the way the company works. For example, it could lead to more home working. Over-the-air updates will enable users to install critical patches and security upgrades without having to return to base. While this may all be good news, it makes sense to run pilots to gain internal experience, as well as draw on the experience of others, for example, partners and suppliers.

4 Support policy and processes with technology
Not as is often the case, the other way round. Do users need over the air connection to access real-time data? Or can they download information at the start of the day and upload it at the end? This should drive whether over-the-air connection is needed or not: the driver should not be the coverage or data rates available. Make the most of technology to improve processes, for example, using automated back-up and data synchronisation to reduce manual error.

5 Provide a single point of support
Users need a simple method of getting help or advice in the event of a problem. During a pilot, provide specialist support, but once deployment broadens, fold it into the standard support services. One number to call, one website to visit, one email address for support is ideal.

6 Protect the device
Antivirus, firewall and VPN software protection should not be left to users, but provided as a corporate resource, installed on every suitable mobile device, updated regularly and automatically. If users provide their own devices, employees should mandate licenses for protective software.

7 Asset tracking
Log the kit given to employees in an asset register, update whenever loss, theft or upgrades occur and close when the employee leaves. This tracks the level of risk and instils responsibility to take care of corporate assets in users.

8 Amnesty
If unofficial usage is already rife, offer an ‘amnesty’ with guidelines for what devices are acceptable, and how they can be brought into the corporate fold, rather than simply imposing an outright ban. Better to understand the size of the problem than ignore it hoping it will go away.

9 Limit choice
An effective and simple solution is to limit choice. But first consider alternatives for different mobile requirements by running a number of pilots in parallel. Get involvement from a range of partners: handheld manufacturers for range and roadmaps, software suppliers for cross platform restrictions, and operators for connectivity options and limitations.

10 Finally, keep a sense of perspective
Total security and control of mobile technology is impractical and potentially smothers the productivity gains that the company wants to achieve. Apply pragmatism and weigh up the advantages against the risks and costs.

BOXOUT
About the author and Quocirca
On behalf of analyst firm Quocirca, Rob looks at the business impact of service provision on organisations of all kinds, from large enterprises through to SMEs. A regular contributor to the media, Rob’s career has been wide-ranging, beginning as a software consultant and followed by a dozen years at Sun Microsystems, where he played a pivotal role in establishing Sun’s Executive Briefing Centre programme. He subsequently joined the wireless and mobile practice at Bloor Research, before joining Quocirca.
Quocirca has rapidly established itself as one of Europe’s leading analyst and research organisations and provides detailed insights into the technologies that are shaping business today, from small/medium business level through to multinational corporations. Mobile technology, data communications, IT security, IT channels, business processes and infrastructure are among the main areas covered by Quocirca.
Quocirca aims to help end-users to cut through the hype that surrounds so much of IT and communications, while at the same time, providing vendors with material that truly reflects the state of the market. Since forming in 2000, the company has served clients worldwide, including Adobe, Cisco, Computer Associates, Dell, EMC, IBM, Microsoft, Oracle, Orange, salesforce.com, Symantec and Vodafone. To find out more about Quocirca, visit www.quocirca.com.

[Go Back]