Across industries and across the globe, employees have adopted smart phones and tablet computers to create a customized and flexible work environment. These tools wrap powerful applications and rich content in a compelling package that enhances connectivity, productivity and communications.
To users, they have become more of a companion than a machine. For many others, mobile devices have become an extension of their personal identity.
Employees want to access work files from the same mobile device they use to update their Facebook status, check Twitter feeds and text with friends. And who can blame them? Accessing corporate data from mobile devices empowers workers to be more accurate, efficient and flexible. The handhelds and applications are familiar and convenient, and the device is always at hand. Telecommuting is now generally regarded as an option that enables organizations to better attract and retain top talent, particularly younger workers.
While beneficial in many ways and now acknowledged as the future of workplace technology, mobile technology has profoundly elevated threats to information security.
Consider a smart phone that is left in a taxi or restaurant. Once lost, the mobile device becomes a security liability for the IT department, a trove of corporate data and intellectual property, communications records, voicemail messages and customer data that are at risk of theft or leakage. The threats are not limited to misplaced or stolen hardware. Mobile devices can also expose organizations to data loss as a result of malware, worms and trojans. Further compromising security is the expanded use of mobile social networking applications, which open the door for employees to unwittingly reveal proprietary information or download malware, and cloud computing services that can obfuscate control and ownership of data.
These security threats are set to elevate. Already, 63 percent of devices that access corporate resources are used for work and personal activities, according to a survey by security firm McAfee. That number will undoubtedly increase as younger employees enter the workforce and bring their own technology with them.
The convergence of devices, applications and mobile data transmission has complicated the IT function’s responsibility to secure corporate data and networks. Many leading organisations understand the magnitude of mobile threats, but few have taken action. In PwC’s 2012 Global State of Information Security survey, only 37 percent of respondents reported that their organization has implemented a security strategy for mobile devices. Yet businesses that proactively address these risks and implement effective security capabilities can gain great opportunities for enhanced productivity and competitive advantages.
The advent of mobile technology has necessitated new governance, support processes, and skills from the IT department in managing the emerging security risks. Having a mobile security strategy should therefore be an integral part of an organization’s overall IT security management strategy. A mobile security strategy focuses on managing the security of the device, the data it accesses and stores, the applications it runs, and all interactions with the corporate network. Exposure of private, regulated data is a key risk and should be considered as well. As with any information security initiative, the relevant stakeholders must first consider an organization’s unique risks and build a mobile security framework on the foundation of existing security measures. We will in the course of the next few weeks see what development of a mobile security strategy entails.
The author is a Manager with PwC Rwanda