Organisations are increasingly offering key knowledge workers a raft of technology to support flexible working practices. From virtual private networks to WiFi, mobile communication technologies are rapidly becoming a core component of the corporate IT infrastructure.
But whilst mobile working undoubtedly contributes to improvements in both productivity and morale, it is also creating untenable business risk. In the headlong rush to meet business demands for mobile solutions, the IT department has little or no time to create and implement appropriate security policies.
The risk of data theft and the disruption of the corporate network fundamentally undermine the benefits offered by flexible working. Successful, risk free exploitation of mobile technologies requires real cooperation between IT and the business to develop the right security policies, argues Craig Wiltshire, Sales and Marketing Director, s2s.
Knowledge value
Whilst UK workers gained notoriety this summer for the frequency with which they consulted their mobile devices whilst on holiday, there is little doubt that the majority of organisations view mobile and flexible working as a major corporate benefit. Indeed, according to a study carried out in 2006 by the Economist Intelligence Unit on behalf of Cisco, “The human touch will become more central to competitive advantage.” The report, entitled Foresight 20:20, continued, “Technology spend will shift to enabling knowledge workers to do their job better.”
However, whilst providing key knowledge workers with WiFi enabled laptops and virtual private network (VPN) connections between home and the office has gained acceptance, few organisations are seriously addressing the resultant security risk.
From sensitive customer and corporate data left on unsecured laptops to the increased risk of infecting corporate networks with worms, viruses and trojans via remote connections, this headlong rush to exploit highly functional mobile technology is a risky strategy.
And yet, for the IT team, achieving a secure deployment is a challenge. In the main, the roll out of mobile devices is being driven by senior management – many of whom seem keen to make their own technology choices irrespective of the impact on the existing corporate infrastructure.
So how can IT secure the mobile network in the face of a board keen to maximise the productivity and morale of knowledge workers apparently irrespective of business risk?
VPN complacency
One of the major challenges facing organisations keen to promote a range of mobile and flexible working options is the misplaced belief that providing a VPN link back to the corporate network is a secure solution. While providing a secure method of transferring data between networks, VPNs do not deliver an adequate security strategy.
What happens, for example, when a laptop user – often without up to date anti virus (AV) software – picks up a worm, virus or trojan whilst surfing the Internet via the DSL line at home and then connects via the VPN to the corporate network? Since the device is officially recognised, there is every chance that the entire corporate network will be infected.
The VPN may secure the communication but it is still providing a platform for potential data corruption. Yet the use of simple network admission control tools could ensure the corporate network automatically isolates and checks every device each time the user logs on remotely. Conducting a rapid virus sweep and scan takes only seconds to confirm each device is clean and conforms to corporate policy before it is allowed to access any servers on the network, delivering critical protection.
Of course, some organisations have added AV software to the mobile devices – although by no means the majority. However, these tools are not good enough to address the growing number of day zero attacks that are not yet identified and protected against by the AV vendors.
By installing host intrusion detection software on each end device, any inappropriate behaviour caused by a day zero attack – such as file opening or system shut down – is automatically prevented. Furthermore, alerts can be sent to technical support to ensure the problem is immediately addressed.
Policy matters
Indeed, such technology can also protect organisations against a raft of inappropriate behaviour – from unauthorised use of USB memory sticks or CD burners to key loggers, protecting the company not only from the escalating mobile risk but also adding to internal security.
However, while this security technology has been available for over two years, one of the reasons it has yet to gain widespread deployment is the prerequisite need for a coherent, business relevant security policy.
With a myriad of configuration options, attempting to implement such tools without clear guidance from a security policy would be foolhardy at best. The security policy must align with both business processes and the ways in which key knowledge workers plan to work, from locations to information/application requirements.
For example, whilst some banks may take the route of disabling all USB ports, this is simply not practical for most companies leaving many wide open to easy data theft, especially by existing employees. By tailoring host intrusion tools to reflect the operational requirement, organisations can have a complete audit of all behaviour on every end point device, using alerts to highlight activity that is deemed high risk within the security policy.
There is, therefore, a need for complete cooperation between IT and the business on the creation of an appropriate security strategy that reflects technology usage both remotely and on site. The discussion must encompass a range of issues from how individuals work remotely, the way data is secured, how the organisation can monitor and prevent unauthorised activity and, critically, user education.
Flexible business
Indeed it is this policy creation and planning process that takes 80% of the effort; deploying the security solutions is a fairly straightforward process once the policy has been defined. But the creation of a coherent policy has additional benefits to minimising business risk by securing the mobile infrastructure. In many cases, IT will be able to consolidate diverse technology platforms to eliminate risk and reduce costs.
Furthermore, once in place, a highly secure mobile infrastructure offers organisations the chance to exploit emerging unified communications technologies to significant commercial advantage.
Without doubt, the extraordinary growth of mobile technology offers organisations phenomenal potential to transform productivity and working practices. And it is the business leaders that are keen to grasp the opportunity. But IT cannot continue simply to bow to corporate demand for new technology without reflecting the very serious corporate risk associated with these unsecured mobile solutions.
