Sectors
Companies
About
Subscribe

Mobiles expose corporate networks

Admire Moyo
By Admire Moyo, ITWeb news editor
Johannesburg, 24 Jul 2012

The more mobile devices organisations allow to access their corporate networks, the more vulnerable they are to attacks.

So says Doros Hadjizenonos, sales manager for southern Africa at Check Point Software Technologies, commenting on the results of the ITWeb-Check Point Software Technologies Mobile Survey, which ran online for 14 days, attracting 231 responses.

The survey discovered that the use of mobile devices within South African organisations is widespread. It emerged that nearly all organisations (86.04%) are allowing the use of mobile devices. Only 7.21% do not, while 4.5% said that, although they do not allow mobile device use, they are planning to do so in the next year.

The study also discovered that, over the past two years, most organisations (24.87%) witnessed an increase of 51% to 100% in the number of smartphones and tablets connecting to their corporate networks. This was followed by an increase range of 26% to 50%, reported by 23.32% of organisations.

Increased

Hadjizenonos is not surprised at these findings, as organisations are allowing more users to connect to the corporate network from mobile devices to increase the productivity and efficiency of their staff.

However, he points out that, in terms of , this makes the organisation more open and vulnerable to attack.

“This increased risk associated with the convenience of accessing data from anywhere needs to be balanced and the appropriate measures must be put in place to ensure secure connectivity to corporate assets.”

Lost or stolen devices is the biggest concern regarding the use of mobile devices within organisations, as cited by 56.76% of respondents. Meanwhile, 48.68% are worried about employee awareness of security policies; 48.42% malicious applications; 41.44% mixing of personal and business data; and 32.43% operating system security vulnerabilities.

Others cited factors were data synchronisation with cloud, eg iCloud and Dropbox (25.23%); inappropriate Web browsing (14.86%); and users frequently replacing their devices (8.11%).

According to Hadjizenonos, a lost, unprotected device normally equates to loss of corporate data because it is relatively easy to access the data on an unprotected device. “It is very likely that there is confidential data on the mobile device, assuming it was used to access corporate e-mail and documents.

“Even if a device has got passcode protection, there are methods easily available that can bypass this kind of security to get access to all the data on the device. Organisations should find a way to separate business data from personal data, set up a policy on the business data and enforce it.”

He notes that policies should include, at a minimum, the type of corporate data that can be stored on mobile devices, a requirement that corporate data stored on the device be encrypted, and the ability to allow only authenticated users to access the corporate data.

“Organisations need to have more awareness about the security concerns of mobile devices. Devices can get lost, users can mix their personal and corporate e-mails using the same native e-mail client, and users can open corporate attachments with public-cloud-sharing apps such as Dropbox, which share the document in the cloud and synchronise it with all devices that are configured to use this cloud service.

“All these actions put corporate data at risk, and organisations should put more emphasis on the education of their employees about the risks of using mobile devices to access company information.”

Dominant operations

E-mail proved to be the primary operation that employees currently perform using a mobile device, as reported by 98.45% of respondents. This was distantly followed by those who access Web-based business applications like Intranet, at 56.48%.

Meanwhile, 31.61% noted they can operate a remote desktop on these devices, with 27.46% accessing native business applications such as HR and business management.

Hadjizenonos believes e-mail is the most common need for people when they travel, as it allows them to stay in contact with peers and customers. He also points out that e-mail is widely and easily available on mobile devices, while other applications, such as remote desktop or Web applications, require additional work to make them usable on mobile devices.

Asked what type of corporate information is stored on the mobile devices connecting to their organisations' corporate networks, the majority (93.26%) said e-mail, followed by contact information for colleagues, customers and partners (77.2%).

On a scale of one to five, with one being not at all important, and five critical, respondents were asked to rate how critical they think the information stored, manipulated or accessed on employees' mobile devices is to the business. Most (39.9%) gave it a four.

Using the same scale, the survey also asked respondents to rate their level of concern regarding the vulnerability of the organisation's mobile data. Most (36.79%) gave it a three, while 32.12% rated it a four.

Device passcode

Device passcode lock is the most prominent security setting enforced on personal mobile devices that connect to organisations' networks, the study discovered. Other strategies include device encryption (25.91%); remote wipe (24.87%); and tracking the device's location (18.13%), among others.

Says Hadjizenonos: “Device passcode lock is a common solution that is available on most devices on the market.”

However, he notes that device passcode lock also complicates the user experience on the device; for example, users are required to enter the passcode even when they just want to view a picture, listen to music or send a personal text message.

In addition, he says, there are known methods of bypassing device passcode lock mechanisms. “We would recommend a solution that is able to encrypt corporate data (eg e-mail, calendar, applications, etc) in some sort of secure container that will only prompt the user for authentication when the corporate data is accessed.”

It also emerged from the survey that, in most organisations (50.78%), mobile devices have not contributed to the number of security incidents. Only 11.92% said “yes”, with the rest unsure.

In Hadjizenonos' opinion, this is not a true reflection. “Assuming that 50% of the respondents to this survey have methods to show that none of their mobile devices contributed to a security incident, this does not mean they will not contribute to security incidents in the future.

“There are so many mobile devices that access e-mail and attachments; if only one device gets lost or is stolen, the data on this device could be easily compromised, assuming the device is not protected. I don't think we can conclude, by the answers to this question, that devices are properly secured.”

Share