Eying what could be a substantial business advantage, enterprises are racing to make their workforces mobile. Salesforce.com’s ongoing love affair with the Apple iPad extends beyond equipping its executives with the device to singing its praises at every opportunity.
Mercedes-Benz distributors are giving their staff iPads, banker JPMorgan Chase plans to do the same with its executives and SAP runs the bulk of its business on mobile devices.
While this increased capability for instant communication makes a business significantly more agile, it also poses a threat to enterprise security. Companies often encourage staff to use their own devices for work, increasing the risk that their devices will get infected and pass on malware to the enterprise network. Worse still, different types of devices are proliferating in the enterprise, making it difficult for IT to keep up.
The iFruit of the Tree of Knowledge
“I’ve been monitoring the mobile security space for quite some time, and I think it’s still an underestimated topic in the enterprise world,” Torsten George, vice president of worldwide marketing at Agiliance, told TechNewsWorld.
Blame the mess on Apple — many IT folks do. IT was perfectly happy with users having BlackBerry devices which run on Research In Motion’s corporate servers, offering high-level security. Then the iPhone came along and things went to the dogs.
“When Apple introduced the iPhone, the whole IT world changed,” George said. That’s because senior executives wanted to use their iPhones at work.
“The iPhone became attractive to C-level people who brought it into their organizations and demanded IT enable the iPhone on the enterprise network,” George elaborated.
Those demands put corporate IT between a rock and a hard place. On the one hand, an IT staffer doesn’t say no lightly to a C-level executive unless he or she has a strong death wish. On the other, IT didn’t have the technology to incorporate iPhones securely into the enterprise.
“There’s no common interface for BlackBerries, Microsoft mobile phones and iPhones,” George explained.
In many cases, IT’s response was to bite the bullet and carry on.
“IT gave up on this and decided to maintain responsibility for email security and control the email server and let users get work email on their private iPhones, but beyond that they didn’t consider the capabilities of the phone as it relates to security,” George said.
Today’s apps let iPhone owners readily access their corporate software programs, such as their Salesforce.com accounts or ERP app. That makes them access points which require security coverage. However, most organizations haven’t found a way to deal with this, George stated.
The Danger of Smartphone Access
A recent Symantec survey found that 62 percent of employees expect to access confidential or sensitive work-related information from their smartphones during the holiday season, Martin Lee, senior software engineer for Symantec Hosted Services, told TechNewsWorld.
Further, 77 percent expect to also use those same smartphones to get their personal email during this period, and 68 percent will use it for social networking.
“As the boundaries between work and home dissolve, the boundaries between devices that are solely for work or solely for personal use are being broken,” Lee pointed out.
With social networking sites being prime targets for cybercriminals, smartphone owners who employ their devices for both work and personal use could easily endanger corporate networking infrastructures.
“If malware is installed on a mobile device, then anything the user of the device does, the malware can do too,” Symantec’s Lee warned. “IT security needs to address the ingress of malware through Web browsing, email, USB devices or SMS messages.”
Mobile malware attacks will grow in 2011, IID predicts. The company expects more rogue mobile apps and the emergence of attacks targeted at vulnerabilities in smartphones’ operating systems or in popular apps.
Yesterday’s Tools Can’t Fight Tomorrow’s Threats
IT security is fighting a losing battle because it’s using traditional approaches to fight a new type of problem.
“The predominant network security strategy for enterprises historically has been to harden the network perimeter and control access to that internal network,” Lars Harvey, CEO of IID, told TechNewsWorld. However, the proliferation of mobile devices in the enterprise takes the teeth out of this approach.
“Mobile devices blur the physical and logical boundaries of the enterprise network while multiplying and diversifying the access points to it,” Harvey explained.
Employing the same device for both personal and work use only makes things worse, exposing the enterprise to consumer-oriented threats and attack methods, Harvey said.
One possible solution is to combine user education with mobile apps that create a secure virtual environment on a mobile device, Harvey said. Further, enterprises should also add an “outside-in” layer to their defenses to protect against threats their traditional defenses aren’t prepared for or equipped to handle.
Enterprises should also monitor apps and app updates for malicious behavior, watch the network for signs that it has been compromised and analyze the behavior patterns of users and devices for signs of trouble, Harvey said.
Enterprises should also set up and implement policies around the usage of personal phones in the corporate environment, Agiliance’s George suggested. It’s best to automate the implementation, he recommended.
“This is a low-compliance, high-risk area, and you should focus on this,” George said.
One other thing: Tell C-level executives who insist IT connect their smartphones to the enterprise network to wait until the security infrastructure has been modified to handle new devices.
“If you don’t create the foundation that lets you see the risk of making decisions, you’ll always be behind the curve and be forced to put out fires,” George said.