Companies that do not act swiftly to define and implement a strategy to govern how and what corporate information can be accessed by employees` mobile devices are doomed to relive the PC anarchy of the early 1980s, says Kelvin Adams, Global Security Solutions country manager for Computer Sciences Corporation`s operations in South Africa.
"Mobile technology has run away with users` imaginations in how to work smarter, and the business has yet to grasp fully how to balance the productivity promise with the immense challenges of information security and corporate governance.
"The use of these devices is growing rapidly yet there are few corporations that have carefully examined the business need for them, and how they should be integrated into the communications system.
"What is happening closely resembles the early PC days when these stand-alone machines arrived on management`s desks and IT was told to find a way to incorporate them. What followed was years of wrangling about data integrity, islands of information, incompatible platforms and communications problems."
Adams says that IT and business management must collaborate with users to understand the threats and opportunities, and define and implement strategies that support both sides` needs.
Recent research done among 400 major corporations in the northern hemisphere by CSC`s Leading Edge Forum found that 41% of the companies surveyed allow their employees to access their systems from anywhere in the world, but only by using specific company-issued devices. Almost a third of firms allow access from any browser-enabled device, while a small minority permit the use of IT systems only from within the office.
Adams says that Chief Information Officers (CIOs) must act swiftly to initiate the need to define and implement a strategy for mobile access. "If they don`t the integrity of information being communicated and worked with will be in doubt and corporate documents may be compromised, among a host of other security-related issues.
"The business world reverberates with horror stories about laptops being stolen or cellphones loaded with client information being traded in for newer devices. Everyone knows the risks, and the time is right to collaborate within the firm to devise sensible policies, standards and enforcement. If everyone contributes to the policy, self-policing will become part of the working culture."
Adams says the issues that will inform a strategy include identifying the need for which mobile devices and who needs them, deciding which devices the IT department will support and training IT staff to support those devices.
Companies are reluctant to experiment with a confusing array of technologies, platforms, standards, and vested interests, when users clamour for the right for their mobile tool to be allowed access.
But it`s important not to frustrate the users` need to access information because they may try to use their own devices to communicate with the system, Adams says. There needs to be a balance between control and support costs, and enabling users to get on with their jobs.
A vital part of any mobile information security strategy is Identity Access Management (IAM) which switches the focus from securing the network to securing the data, and introducing ID-related access to who is entitled to access which company information.
"There needs to be collaboration between the business and technology teams in devising the strategy. If one team fails, the entire project fails."
It`s essential to first create a security framework which, at the highest level, all corporate data is classified in terms of sensitivity and confidentiality. Then the data needs to be encrypted according to the sensitivity of the information.
The framework would also define role-based access models that would specify what data can be accessed by whom and rules defined as to how users should access the network.
"Underpinning all of this is the need for users of mobile devices to be aware of the value, not of the device, but of the company-proprietary information it contains, and guard them as it they were their own. Creating a culture of sharing responsibility and actively playing a role in security the company assets," Adams says.
Share
CSC offers the South African market a wide range of services, including systems integration, application and infrastructure outsourcing, and business process outsourcing, as well as financial services solutions.
In South Africa CSC also provides Business Process Outsourcing (BPO) services to manage the policy processing and administration for its US and UK financial services customers who include banking, short-term insurance, and life and pensions providers.
A leading IT services provider, CSC adds value through its collaborative approach to delivering fast, reliable and flexible solutions. CSC opened its doors in South Africa in November 1999 and today has offices in Johannesburg and Cape Town. For more information, contact (021) 529 6500 or (011) 612 5400.
CSC
Founded in 1959, Computer Sciences Corporation is a leading global information technology (IT) services company. CSC`s mission is to provide customers in industry and government with solutions crafted to meet their specific challenges and enable them to profit from the advanced use of technology.
With approximately 78,000 employees, CSC provides innovative solutions for customers around the world by applying leading technologies and CSC`s own advanced capabilities. These include systems design and integration; IT and business process outsourcing; applications software development; Web and application hosting; and management consulting. Headquartered in El Segundo, Calif., CSC reported revenue of $14.6 billion for the 12 months ended June 30, 2006. For more information, visit the company`s Web site at www.csc.com