Johannesburg, 22 Apr 2013
It's an amazing thought that there are now almost as many mobile phones on the planet as there are people. With approximately 85% of the world's population covered by commercial wireless signals, mobile phones are more prevalent than clean water or electricity. The mobile phone has changed voice communication forever, but the latest phase, the rise of mobile data communications, is only just beginning, says Eric McGee, Managing Executive, Information Security Services at Business Connexion.
I believe organisations should embrace the mobile revolution - because of all the benefits associated with its adoption - in a sensible way. Smart devices offer voice communications, e-mail and access to social networks such as Facebook and Twitter, integrating our business, social and private lives. That is driving the bring your own device (BYOD) phenomenon, as we like to choose our own devices. Companies flexible enough to support BYOD can find it helps to attract and retain top performers, who often work outside of traditional work hours and enjoy increased mobility, higher job satisfaction, and improved efficiency and productivity.
That means mobility also unlocks better productivity. I believe we are also more willing to refresh our own devices far more frequently than the technology replacement cycle of a typical organisation, further enhancing our own productivity.
But then there are also risks associated with mobile devices. Mobility and BYOD bring a number of challenges. An estimated 70 million devices are lost or stolen every year, often exposing sensitive information with far-reaching implications for organisations. This is naturally a major concern relating to BYOD and mobility in general, which creates a complicated end-user environment and makes implementing an acceptable use policy (AUP) more difficult.
Malware on our mobile devices currently has a lower risk when compared to our traditional personal computers because of tighter restrictions built into the operating systems. Most of the operating systems apply application sandboxing, making cross-application communication and data sharing difficult. Applications have to be digitally signed by the operating system vendors, who exercise strict control over the application quality, which limits the amount of malware distributed through applications. However, I am still of the opinion that malware is still prevalent and will continue to be a problem on mobile devices.
Because of the tighter application controls on mobile devices, I further believe malicious Web content will become a more important attack vector. Social networks, especially, will be targeted to entice us to visit malicious Web sites, where malicious server-based exploits will attempt to access data on devices, or try to trick us to expose sensitive information such as passwords.
So, how are we gaining visibility and control? I believe the first step in embracing mobile access is to gain visibility of what is connecting to the corporate infrastructure. This should be followed by the development of a proper governance framework for determining the proper use of the devices discovered on a corporate network.
To embrace the rewards and address the risks mobility brings, we require remedies to control these complex issues. I believe we must take a structured approach that starts by developing and adopting a sensible mobility and BYOD governance policy acceptable to both the organisation and end-users.
Once governance is in place, the correct technology controls must be implemented to ensure compliance with the governance policy and create the level of control needed to remediate the risks.
Mobile device management is but one technology that assists in gaining visibility of the current mobile landscape. It can also be used to enforce certain controls on devices to ensure they operate within the framework set by the governance policy. On its own is not enough. I believe it should be complemented with network access control to prevent unauthorised access to the network at the access point or switch port. To protect us against malicious Web content by carefully guarding what Web content we can access, a mobile content filtering technology that moves with the mobile device should be employed to protect against malicious Web content, regardless from where we connect.
Lastly, I strongly believe that the above should be complemented in future with an evolving malware protection technology when these become more usable. Jail-broken devices should be prevented from accessing the network or even contain any business data, as these devices are exposed to malware. Mobile device management technology can block or wipe such devices.
The 8th annual ITWeb Security Summit will be held from 7 to 9 May at the Sandton Convention Centre.
The gathering creates an opportunity for senior security professionals and business decision-makers to learn about new strategies and tactics, and hear insight and comment from leading international and local subject-matter experts. For further information, click here.
Eric McGee bio
McGee holds a B.Eng Electronics (Hons) from the University of Pretoria. He started his career as a micro-electronics integrated circuit designer at SAMES. He then moved on to focus on embedded system development, and later project management after obtaining an MDP in Project Management from Unisa. McGee joined the Business Connexion Group in 1998 at Nanoteq, where he managed a team developing numerous security products. In 2000, he became product manager, managing various security products and vendor relationships.
In 2004, he moved from Nanoteq to Business Connexion Networks, where he assisted in starting the Information Security Competency in the Technology Group. Since 2008, he managed the Security Line of Business in the Technology Group. In 2012, he became the managing executive for security services at Business Connexion. McGee has been involved in the information security field for the last 15 years, and is a Certified Information Systems Security Professional (CISSP), a Certified Information Systems Auditor (CISA), and also holds the Certified in Risk and Information Systems Control (CRISC) certification.
Share