“Like most security issues, the weakest link is the human element,” remarks Sheridan. “There is no mitigation against someone leaving their phone unattended or inadvertently sending information to the wrong person. Obviously, there needs to be a balance between offering a useful service and locking it down so tightly that it becomes a business prevention system, and that is entirely up to company involved.”
Sheridan adds: “There is no getting away from the fact that data security is a business decision that should be taken under advice and weighed against the cost and potential risk of losing data against the cost of protecting against such loss. One man’s protection is another man’s straightjacket; there is no easy answer, but education will help.”
Evans says all mobile phones have a basic password option to lock and unlock the device, although this function is rarely implemented by individuals, particularly if they are using a personal phone as opposed to a business device where a password policy may require it.
He remarks: “There are a range of software solutions and services currently on the market; basic packages allow organisations to encrypt or ‘lock down’ a device so it cannot be compromised if lost or stolen, with more sophisticated solutions enabling remote management or device locking and wiping of data if lost.
“Encryption software can be deployed on a single handset or an entire mobile fleet, helping to prevent information being downloaded by unauthorised people. Whilst easy to put in place, it needs to be underpinned by a robust and enforceable security policy structure across the mobile fleet to ensure all devices are secured in a controlled and manageable way. However, encryption does not necessarily protect information ‘over the air’. More complex technology exists that not only encrypts the device and information stored on it, but also encrypts the voice and data traffic sent to and from the device,” continues Evans.
Current trends for IT outsourcing and managed services have followed suit in the communications and mobile environment, says Evans. “By providing a fully monitored and managed service for an organisation’s mobile estate, they can be assured that all policies are implemented as standard across all handsets, as well as being able to manage policy and enforcement on particular handsets.
“No longer a commodity, mobile communications are now seen as part of the wider IT infrastructure within an organisation, so it makes sense to treat all networks with the same services and security,” Evans notes.
Coney states that while on-device security measures are becoming more common and have a role to play in the wireless world, they alone cannot offer the levels of protection that is required. “A significant amount of processing power is required to run anti-virus software and despite smartphones becoming ever more powerful and designed primarily to be functionally rich, on the whole they are not yet capable of the significant multitasking that would be required to run adequate background security software.
“Moving away from the hardware, the vast array of mobile operating systems powering today’s handsets can also pose a challenge; each different OS has its own weaknesses when it comes to security. The cost of building security software to cover this vast array of systems can be huge, not to mention the numbers of patch updates required as new threats inevitably come to the fore. There is also the impact on network bandwidth to consider; what happens when many thousands of users try to download security updates simultaneously? As such, it is necessary to explore alternative routes to ensuring users’ phones stay private and aren’t under the threat from spam, malware or other undesired content,” states Coney.
The preferred emerging solution being implemented by many of the world’s largest mobile operators is a system of network-level security, which complements existing devicelevel protection, explains Coney. He says this ensures that all users, as well as the network, are protected from current and emerging threats.
“Today, security content inspection software that sits on mobile networks provides customer protection across all mobile technologies, threats and media types. This includes protection against illegal or inappropriate content, viruses and malware. It allows mobile operators to enable enterprises to extend corporate security policies through to mobile assets,” continues Coney. “As these solutions sit across the entire network, they work across all mobile services, such as WAP, SMS, MMS, voice and email and all forms of network access, including GPRS, 3G, DSL, WiFi and WiMax.”
Coney says that by putting in place networkhosted defence, operators can identify threats and block potential breaches before they even reach the end user’s handset or mobile dataenabled laptop. Operators are starting to provide control portals that allow organisations to set specific, individual controls on employee usage to suit their organisational policies, he notes, which enables IT managers to determine what services, content or third parties employees can access at any given time, while allowing reporting and feedback on breaches or unusual behaviour.
Some devices are viewed as more secure than others, notes Sheridan. He explains: “Security is often cited as the reason why BlackBerry is used in preference to the Windows Mobile option. This is still the case, and BlackBerry’s IT policies are very powerful (if used), although Microsoft would argue that it too has the ability to ‘fry’ a device if it is lost or stolen.
“Good security policies will help prevent the majority of ‘accidental’ losses of data, but if you include voice as being a form of data you may need an additional deterrent, such as call recording, to reduce the risk of confidential disclosure,” warns Sheridan. “Another option could be to host the mobile data service, as this will address the issue of data backup and data recovery, although it is difficult to sell, as you are usually pitching to a person whose job may be put at risk (turkeys looking forward to Christmas).”
Evans agrees that RIM has become synonymous with delivering secure mobile solutions for the enterprise in recent years, operating a completely locked down solution that delivers, amongst other things, secure email.
He adds: “Other advanced solutions, like that from Good Technology, also offer scope for organisations to deploy a secure environment onto any employee’s phone, even one that is owned by the individual rather than it being a business asset, within which they can be granted secure access to corporate resources such as email. In the same way that people can visit the public App Store for the iPhone, businesses can develop their own private, bespoke App Store which users can download and use within their secure environment, ensuring the information accessed is kept secure at all times.
“If the phone is lost, or the employee leaves the organisation, applications and data held in the secure environment can be remotely wiped without compromise to whatever else may be on the phone,” says Evans.
How to sell
On how to sell mobile security, Evans comments: “With over half of UK workers now using their own mobile phone for business, dealers need to use this information to help sell security by informing organisations that the device does not need to be business-owned.
“Personal devices can also be secured, and business services that are accessed through mobile devices can be managed by specialist organisations that can deliver 24×7 services to users. Gone are the days of basic nine to five support; with greater agility and access to information and applications, support needs to be available around the clock,” Evans remarks.
The security challenges that enterprises face in the mobile world are many and diverse, comments Coney. He says if they are to protect themselves, their data and their staff, a three pronged approach is key: content control, the ability to manage what can be accessed, when and by whom on mobile devices, extending the existing capability provided by LAN based content filtering appliances; device security, protecting the mobile handset itself from incoming threats to data such as malware and spyware, but in a manner that is not limited by the lack of consistent security client availability across the range of devices and manufacturers commonly found in an enterprise; and clean connectivity, scanning inbound and outbound activity to highlight any unusual or unexpected activity.
“Only when these three areas are addressed can organisations achieve a consistent level of usage policy enforcement and control for staff across both the mobile infrastructure and their fixed network internal systems, ensuring that both the business and the staff themselves are protected,” Coney concludes.
Most Popular Mobile Business Stories
- The MVNO Challenge
- Best-selling ringtones in 2005
- The Forgotten “BYOD” Stakeholder – the Service Provider!...
- Mobile Distribution
- i-mode comes to Europe: Hype, hope or happily happening here...
- Moco has given every member of staff a new LG 8180 video pho...
- Worldwide PDA shipments
- Nokia E70
- Mainline invests to increase service to dealers
- Motofone Clearvision
- Japan five years ahead in mobile services
- Nokia restructures for the converging marketplace
- Moto Splits
- Mobile Call Recording and Compliance
- Future Trends in Wearable Technology
- 5G – What is it good for?
- Mystery Caller – October 2016
- Fone Logistics Goes on the Road
- Fone Logistics Goes on the Road
- Play with Paris