Mobile security: A balancing act

Many organisations pay lip service to the importance of mobile security but do little to make it happen. Fortunately there are some relatively simple steps that can save potential embarrassment.


Mobile computing has undoubtedly had an enormous positive effect on worker productivity worldwide, with more and more businesses now enjoying the benefits that a mobile workforce can bring. However, the flexibility, time savings and productivity gains that mobile computing can afford must be balanced against potential security risks.

Some of these risks are very obvious, such as the possible loss of company data from a stolen device or the danger of data being intercepted in transit. Indeed, at present it feels like barely a week goes past before another high profile data breach makes its way into the news.

As a result, other risks from viruses and malware, over-privileged users and social engineering can often go overlooked. However, despite not taking up quite as many column inches, these issues are just as much of a risk to mobile data security as anything else, and businesses would be wise to consider how best to nullify all potential threats when mobilising their staff.

In 2007 Datamonitor polled CIOs to establish the issues that are currently preventing enterprises from investing in mobility solutions. These IT decision makers rated security as biggest barrier to their firms deploying mobile systems, acknowledging the challenge of giving more and more devices and users anywhere, anytime access to network resources.

Yet despite the perceived importance of security, many organisations are actually doing very little to secure mobile access, and are instead either waiting on the sidelines until mobile solutions with pre-bundled security present themselves or crossing their fingers and adopting a ‘hope for the best’ approach.

Fortunately, there are a number of straightforward steps enterprises can take to significantly improve their mobile security measures. The first is to utilise a two-factor authentication scheme that verifies both the user’s credentials along with the user’s mobile device. Third-party soft token services from security providers such as VeriSign validate the user’s identity, thereby providing end-to-end security for mobile environments.

This two-factor approach significantly reduces the risk of ‘replay’ attacks in which a hacker intercepts a user’s credentials and then uses them in order to gain data access. Unless the hacker also steals the mobile device assigned to that user, simply replaying the user’s credentials won’t allow them access to protected data.

As well as the two-tier authentication approach, new, more flexible security tools are available to help enterprise IT departments protect mobile data. For example, instead of relying solely on passwords to lock lost or stolen devices, IT departments now have the ability to remove data from lost or stolen devices remotely. For the first time users’ personal – and thus unmanageable – mobile devices can be brought under centralised IT control. And, while there is still no perfect mobile security solution, these remote control capabilities allow enterprises to better protect their mobile computing environments by striking the right balance between worker productivity and data security.

Furthermore, businesses are also able to encrypt the data used and generated by their remote staff. Such encryption solutions are able to encrypt all information travelling to and from each device, irrespective of what device is being used. It’s a question of adding additional layers of security to the devices and data out in the field, making it increasingly difficult, and thus less appealing for potential data thieves.

The emergence of desirable mobile phones into the workplace may also trigger security issues for businesses. These phones are now capable of being used effectively as business tools, with new applications providing far more functionality than just basic email.

However, devices such as the iPhone, remain first and foremost high-end consumer products, and are therefore much more likely to catch the eye of any opportunist thieves that may come in contact with an employee. Staff may be tempted to use devices such as the iPhone and BlackBerry for both personal and business use, further increasing the chances of sensitive information falling into the wrong hands. As the boundaries blur between consumer and business devices, companies must look to establish stringent user guidelines to minimise any potential risk to the organisation.

As we’ve established, there are a growing number of effective security solutions available to resolve companies’ mobility concerns across all industries. In particular, these offerings will help break down barriers to the adoption of mobile computing in the financial services industry and other verticals that handle highly sensitive data.

Many of these companies want the employee productivity gains provided by mobility, but consider the security risks too high. Given that these risks can now be mitigated against using a two-factor authentication process and remote IT management tools, companies that haven’t been previously willing to take the plunge may finally be set for a change of heart.

Benjamin Wesson is vice president product management, at mobile workforce management software provider Dexterra

Find your next job with computerworld UK jobs

"Recommended For You"

Getting a grip on your data IT support tools could leave your enterprise open to hackers