You have secured the fort against attack. The only hitch is that you handed out hundreds of keys to the back door, most of which are unaccounted for. And a lot of unauthorised copies were made too.
This is the security nightmare facing CIOs as mobile employees use an array of WiFi-enabled laptops, wireless PDAs and smartphones to access company networks and data while on the move.
Not long ago, most IT departments ignored the risks. But this became dangerously irresponsible and so they installed security software (such as antivirus and personal firewall applications) on these portable “back doors”.
But are IT teams keeping pace with the risks? Viruses mutate daily, users add applications and unforeseen risks emerge. Addressing these evolving threats means continuous software updating, a difficult task once a mobile device has been issued to an employee.
“This is a significant pain point,” says Ken Denman, chief executive of iPass, a remote access service provider. “Once devices are out in the wild, they don’t routinely return to the mother ship for management.”
This is why device management solutions are emerging as the number one mobile security issue. These centralised enterprise applications enable the network automatically to scan a remote device prior to granting access. If the mobile device does not meet access policies or has outdated security software, the network can perform over-the-air updates.
“There is no reason mobile devices shouldn’t be fully secured. The technology is there,” says Peter Wissinger at Microsoft mobile devices. But enterprises are finding it difficult to implement. “There are lots of tiny vendors in this space, but no one can supply a whole solution,” says Richard LeVine, a senior manager in Accenture’s security practice.
But soon device management will receive a boost from Microsoft. A free security update will enable companies running an Exchange 2003 server to manage security remotely on Windows Mobile 5.0 devices, including remote erasing of data stored on the device. Securing data stored on the terminal is just as important, says Mr Wissinger. “Last year, 85,000 phones were left in Chicago taxis,” he points out. But challenges remain. Mobile devices are often bought directly by employees. To manage these, users must physically bring the devices into the office for an initial security check and to have a remote access client installed.
Reuters, for instance, permits its journalists to use their own mobile devices. “They have to bring it in to us first. We scan it for potential threats and then we put the iPass client on. We also brief them [on security] and all staff have to adhere to the generic electronic code of conduct,” explains Keith Mitchell, global head of shared services & content technology.
So far, wireless security has focused on laptops, and to a lesser degree on wireless PDAs. But smartphones are increasingly likely to be targeted as they become more diffuse: analysts at Gartner estimate smartphones will outnumber laptops by 2008.
“I don’t think companies are giving enough attention to smartphones – they are full-featured mini PCs,” warns Ken Munro, Managing Director of SecureTest, an IT security company. He also points out that authentication credentials are often stored on mobile devices, meaning anyone in possession of the device can access corporate email. Vodafone’s John Lillistone agrees. “The security issues are the same as for PCs. We are keen to get a head start and take the learning from the PC world,” he says.
In November, Vodafone UK will introduce a remote device management service, and other security offerings will follow. “This will be a big feature in the next 12 months,” says Mr Lillistone.