Corporate IT must address employees’ indifference to IT policy

Today’s employees are using the application, device or technology of their choice in the workplace, regardless of corporate IT policies.

Now that employees increasingly expect the workplace to provide secured any time, anywhere connection – whether over 2G or 3G networks or Wi-Fi, for both personal and business tasks – it’s clear that IT management has lost its mandate on the choice of smartphone and tablet access in the corporate setting.

Today’s new workforce is not willing to allow IT to dictate which handheld platforms they can use because they prefer their personal technology to what employers provide. Recent surveys suggest about 70 per cent will use whatever application, device or technology they want, regardless of corporate IT policies. With less than half sticking to company issued devices, IT must try to keep up.

While many of the technologies that enterprises adopt for their information systems have roots in consumer applications, employees are extending their workday and increasing office efficiency by leveraging the same technology they use to enhance their personal lives— in particular, smartphone and tablet devices.

The biggest threat to security is from users themselves, who are increasingly using their mobile devices with scant regard for IT policies (e.g., playing games or checking personal emails while connected to corporate networks). Increasingly, mobile device usage is placing great pressure on corporate network resources, especially when users consume high-bandwidth content such as video.

The combination of these factors presents IT departments with a serious dilemma. On one hand, smartphones and tablets are simply too powerful and useful for businesses to ignore, empowering users in completely new ways and enabling them to work far more flexibly and productively. Security must be seen to be enabling the business, rather than holding it back from the rewards many of these new devices offer.

According to a study by IDC, people downloaded 10.9 billion mobile apps in 2010 (a figure IDC expects will increase to nearly 76.9 billion by 2014), many a potential threat to corporate security

Smartphones and tablets operate in two worlds: they can connect to the corporate network over wireless, or bypass the network entirely using mobile cellular connections. This means they might download malware from the web over 3G/4G, and then disseminate it to the network over the corporate Wi-Fi network. Transferring data in and out of the corporate network, smartphones are beyond IT control. At the same time, IT needs to provide enterprise workers with secure access to network resources from tablets and smartphones.

Challenges of multiple devices

Enterprises need an agnostic approach that supports multiple platforms for their users, as well as provides contingency for access continuity. A global business cannot depend solely upon the viability of a single smartphone vendor’s platform, but instead, must deploy smartphone solutions that are able to facilitate multiple platforms.

The sheer volume of interactive Web 2.0 and streaming media traffic over smartphones can affect corporate bandwidth and wireless network throughput. Some of these applications, such as streaming video applications, constantly evolve to avoid control. In addition, like any web-facing endpoint device running applications over the network, smartphones present a potential channel for forced denial-of-service attacks.

The proliferation of smartphones in corporate environments creates new and wider potential for data loss and leakage, whether by theft, unauthorised access or unauthorised transmission. Determined professionals can ultimately undermine even “unhackable” smartphone platforms. In addition, thieves can thwart attempts by IT to wipe data remotely by simply by removing the SIM. The widespread practice of “jail breaking,” or opening a phone to customise its features or functionality (such as to overcome restrictions on alternate mobile service carrier networks), also poses a serious security threat.

Most agree that enterprises should be able to enforce several basic security features on any mobile device, including mandatory passwords, over-the-air device wiping capabilities and data encryption on the device itself. In practice, the choice of the platform itself will determine the effectiveness of the overall policy. Not all mobile devices are equal, and some vendors make it harder than others to enforce rigorous security protocols and policies.

Top five ways to secure mobile devices

1. Establish reverse web proxy and/or SSL VPN. This secures smartphone and tablet access from outside the perimeter. By providing standard web browser access to web resources, reverse proxies can authenticate and encrypt web-based access to network resources. Reverse proxy delivers access agnostically across platforms. Agent-based encrypted SSL VPN tunnels add easy “in-office” network-level access to critical client-server resources from both laptops and smartphones.

2. Add strong authentication. An effectively secure solution should integrate seamlessly with standard authentication methods such as two-factor authentication and one-time passwords.

3. Scan traffic through a next-gen firewall. Smartphones and tablets can act as conduits to enable malware to cross the network perimeter, even over WiFi or 3G/4G connections. Integrated deployment with a next-gen firewall can decrypt and scan smartphone and tablet traffic coming from outside the perimeter. Integrating a next-gen firewall with 802.11 a/b/g/n wireless connectivity can scan and decontaminate WiFi traffic when the smartphone user is inside the perimeter.

4. Control app traffic. In general, smartphones and tablets are either critical business solutions or personal time-wasters. Application intelligence and control technology can enable IT to define and enforce how application and bandwidth assets are used.

5. Prevent data leakage. Data leakage protection for devices used inside the perimeter can scan outbound traffic and take policy-driven action to block or allow file transmission based upon watermarked content.

Sandeep Joshi is country manager at Dell SonicWALL.

Join the CSO newsletter!

Error: Please check your email address.

Tags mobilityconsumerisation of IT

More about DellIDC AustraliaSonicWall

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Sandeep Joshi

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts