As awareness of the security risks around corporate mobile devices grow, the number of Canadian companies employing mobile device management (MDM) tools has jumped. However, a recent survey indicates that the leading violators of mobile security policies are company executives.
In an online survey of 500 information security professionals from all industry sectors across Canada, Telus Corp. found that 45 per cent of the respondents are willing to invest in MDM products. Revenue growth in the space, according to Telus, actually jumped from 13 per cent in 2010 to 24 per cent in this year.
The telecom company also found that flouting company mobile security rules appears to more prevalent at the top of the corporate ladder.
Top violators according to the survey are:
- Executives – 22 per cent
- Managers – 15 per cent
- Administrators – 15 per cent
- Sales – 15 per cent
- IT – 12 per cent
- Contractors – 10 per cent
- Operations and manufacturing – 6 per cent
- Marketing – 5 per cent
Executives are most likely to bring personal mobile devices into the company network, said Hernan Barros, director of product and services as Telus Security. He attributed the breach of security policies by execs partly to their need to boost their productivity.
“Top level employees say they need the latest tools such as iPads, or more powerful smartphones to enable productivity and efficiency gain,” said Barros.
BlackBerry seen as most secure smartphone
When asked which mobile technology platform they felt was most secure, an overwhelming 85 per cent of the respondents named BlackBerry smartphones.
The iPhone and Windows Mobile devices lagged far behind at 10 per cent. Android phones brought up the rear at five per cent.
Barros also said that over the years there has been a growing trend towards employees bringing their personal mobile phones to work and asking IT administrators to enable them to access company data and work applications on their devices. “With the large storage capacities, multi-functionality and always-on data connection of many of these devices, securing smartphones has become a major concern,” said Barros.
The loss of a mobile device containing corporate data for instance, he said, was identified as the number one concern among survey respondents in the government, private and public sectors who were asked to rank security issues on a scale of one to six.
The use of another device to access the company network was a close second. Respondents in the private and public sector marked it as number two while respondents in the government sector gave it a three.
Interestingly, the use of “untrusted application ecosystems” or third party apps ranked low. Respondents in the government gave apps a six, those in the private sector marked apps as five and the public sector said four.
Two-tiered security policy
One Canadian security expert said that a two-tiered security policy is common place in both small and large companies.
“Executives and managers are the very first ones to sign off on security policies and unfortunately the very first to break them,” said Claudiu Popa, president of security and privacy firm Informatica in Toronto.
“Very often, people is these positions bring in their own devices ask IT to give them access to the network,” said Popa. “they use productivity as a reason, but often enough there’s an element of exclusivity and entitlement involved”.
He said this practice is unfair to IT administrator because they are being asked to compromise security but are not in a position to refuse.
Popa believes that personal mobile phones should not be allowed into the company network. They another layer of security risk that burdens IT departments especially in resource and manpower restricted small and medium sized businesses, he said.
“I understand technology convergence trends, but I believe that if a person is working in a company, they need to use approved devices,” he said.
“The risk is just not worth the convenience,” said Popa.
Personal mobile devices in the company, is an issue that organizations can compromise on, according to James Quin, lead technology analyst for Info-tech Research Group in London, Ont.
He said there are instances when some managers or executives that “exceedingly busy, on tight timelines and do need access to the network on their devices.”
To deal with such situations companies, be they SMBs or large corporations, need to determine early on if they will allow personal devices into the company.
“If they will allow personal devices, it must be decided what resources can be accessed and who can access these resources,” Quin said.
Beyond this, the analyst said, companies need to take steps to protect company resources and data using steps such as:
- Restricting what type of data and resources can be accessed using personal devices
- Restricting access to data and resources through role-based rules
- Encrypting company data and employing complex passwords
- Using technology that remotely wipes data from lost or stolen devices
- Employing web-based virtual desktop services such as Citirx and VMWare
Virtual desktops allow users to access corporate data and company applications on their phones just as they would using a desktop computer at the home office, said Quin.
“But with tools like Citirx and VMWare, after the session is done the apps and data do not remain on the phone,” he said.
Lost mobile phones and employees using personal mobile devices is something Ledcor, a construction company based in Vancouver, B.C. deals with frequently.
The company, however, has evolved policies and practices to protect the organization’s data and resources, according to Greg Sieg, senior vice president and CIO of the Ledcor.
Incidentally, Sieg said, Ledcor’s top execs tend to favour their company issued laptops and BlackBerry’s while their employees are the ones who use personal devices like tablets at work.
“We distributed PlayBooks to our execs but the feedback has been mainly a discussion on what is the productivity advantages of having another device to carry around,” he said.
While Ledcor allows the use of personal mobile devices, Sieg said the company mitigates the risk data breaches by making sure only email and associated attachments are transmitted through the phones.
“We have a distributed workforce and operate in various jobsites. BlackBerrys can and do get misplaced or lost so we need to take precautions,” he said.
When a phone is reported lost, the holder needs to report it immediately. Once the report is filed IT immediately remotely “wipes” the data from the machine to ensure that company and sensitive information does not fall into the wrong hands.
Next, Ledcor’s mobile carrier is contacted to cancel the contract on the phone.
Additionally, Sieg said, his company uses a mobile app delivery tool from Citrix that enables users to view data on their smartphones but prevents them from downloading content. The system has a built in security filter that restricts that type of data that can be accessed.