Data, data everywhere
The way we work is changing. Mobile computing and fast
wireless connections provide the infrastructure to exchange,
access and store data from any location. But with this change
there are also increased risks. Data is one of this century’s
most precious commodities – allowing it to be lost, stolen or
corrupted could have dire consequences.
Using Mobile Devices
Saying yes to people who want to use smartphones and
tablets, safe in the knowledge you can keep them secure
These challenges are felt even more keenly in the public sector, which handles inordinately large amounts of data and has the entire public pressing for its protection. The risks are inherent not only from a financial perspective – Government data could have implications for even the most serious matters of national security, making it paramount that the correct safeguards are in place.
The public’s perception of public sector data handling is often poor, fuelled by stories in the media of embarrassing breaches and losses by civil servants. Repairing this reputation has long been a source of strife for policy makers, a task that will necessitate improved systems and processes to be put in place before public relations victories can follow.
Results from a recent survey across Government, carried out by Sustainable Government, on behalf of Sophos, did not offer much comfort that all lessons had be learned finding positively that 64% of respondents had a policy for mobile working, regrettably 65% did not include smartphones and similar devices in their remote working policy. This is clearly concerning as the adoption of new technology and its associated work benefits is growing and security cannot be an after-thought.
What has changed?
Analysts have been talking about the ‘consumerisation of IT’ for a number of years but only now is it really turning into a reality. This phrase refers to the ever finer line between the business and personal use of a device, and smartphones are a prime example.
When you tolerate the private use of a device, be it a smartphone, laptop or tablet, it is generally because it has a pleasant side effect, namely that your employee will also perform work-related tasks outside of office hours – such as checking work emails. If you also allow your employees to bring their own mobile devices to work and use them there, this is taken to the next level. This method is known as Bring Your Own Device or BYOD. What at first sight may seem like an extremely attractive money-saving measure – one less investment to make from a tight budget – is actually both a challenge and a potential risk for your organisation’s IT. In a recent survey, 2012 Information Security Breaches Survey (ISBS), written by PwC in conjunction with Infosecurity Europe and supported by the Department for Business, Innovation and Skills, BYOD does seem to be becoming more and more of a factor. PwC says 75% of large organisations, and 61% of small businesses, allow staff to use smartphones and tablets to connect to their corporate systems, but only 39% (24% of small businesses) apply data encryption on the devices.
61%
of small businessesallow staff to use smartphones and tablets to connect to their corporate systems.
39%
(24% of small businesses)Mobile devices provide significant productivity improvements due to their portable nature and are gateways to a wide variety of services in many industries including local government. These devices are used in three general ways:
ÌRemote monitoring and collection of information
ÌRemote consultation and as reference aids
ÌMobile applications that make customer information readily available at the
point-of-interaction with the public
There are two types of device that need to be secured – organisation-owned devices and private ones where the user wants to have access to their work email and calendar. Like laptops, memory sticks and emails mobility brings the potential for data loss with it. Local government organisations are trying to formulate security policies around these devices. Previously they have just said no to allowing them to connect to their network.
Allowing email and calendars on mobile devices, be they private or government owned, means that public/customer identifiable data (PID) could be on the device. Therefore, they need a way of making sure that it is secured via encryption, password policy, etc., and that if it is lost the member of staff leaves the data can be securely wiped.
Organisations, in partnership with their security vendors need to be focused on clearly explaining and understanding the risks of data breaches and targeted attacks, whilst ensuring the user experience is not diminished – afterall, a larger percentage of devices are personally being used for business and not the other way around. Remember, if security policies become too restrictive, especially if you are dealing with an employee's personal device, people will find ways around the policy.
Security on mobile devices
When you decide to equip your workforce with mobile devices, no matter whether smartphones, tablets or laptops, it will generally be because you see a way to improve productivity. You also make your users more flexible by providing access to your organisation’s resources from any location. Before introducing these devices into the workplace, there are considerations to be made as with any computer accessing your network.
ÌWhat additional applications need to be installed?
ÌHow can the device be secured?
ÌHow can the access to the network be secured?
ÌWhat about the data on the device?
These facts are generally part of a remote working policy which should also include
So what can you do?
Our suggestions
Review your policy and ensure that it still fits the way your staff work.
ÌAre employees using devices you have not taken into consideration?
ÌAre you aware of what data employees have on their smartphones and other
mobile devices?
ÌDo you have an appropriate user policy to define private usage of corporate devices?
A mobile device per se is more personal than an office computer. Even when devices are owned by the organisation, the user will always be the administrator and therefore has to be fully aware of potential security risks.
The biggest mistake many of us make, is that we still look upon smartphones as phones, when in fact they’re small computers and ought to be handled as such. If you have a consultant or external employee working in your office for a few months, you would only give them access to certain areas of your network to do their job. You probably also have stipulations about whether employees can take company documentation home with them or not. But do your employees’ personal smartphones or tablets have full corporate access without the usual security features in place? And even for the devices you own, can you really be sure that they are not breaching many of your security policies on a daily basis?
Sophos have spent time developing a solution to many of these problems which supports the overall Sophos belief of keeping security simple and non intrusive and offering a suite of products to help with the drive towards Complete Security for the organisation.
Sophos Mobile Control gives your users the latest mobile technology while keeping your organisation’s data safe. We help you secure, monitor and control devices on your network with over-the-air control and a self-service portal that makes mobile protection easy and also include compliance checking and application control to ensure your users are following policy, even if they are using their own devices. The key features which Sophos is offering and have been found to support the balance between adopting latest technology and operating in a lock down environment are:
ÌProtects iPhone, tablets, Android, Blackberry and Windows Mobile devices
ÌGives you a central, role-based web console to distribute consistent policies
ÌControls which smartphones and tablets have access to company email
ÌLets you remotely lock and wipe devices to prevent data loss and ensure compliance
ÌAllows users to register and protect their devices (personal as well as corporately issued)
through a simple self-service portal
ÌLets you manage installed apps on a device from a central console and deploy and remove
as needed
Through the adoption of Sophos Mobile Control, Sophos can support this balance between flexible working and lock down environment, and the wish of users to use their own devices for working which in turn leads to company data potentially sitting on the device and outside the control of the organisation.
Worry less, accomplish more
United Kingdom and Worldwide Sales: Tel: +44 (0)8447 671131
Email: [email protected]
North American Sales: Toll Free: 1-866-866-2802 Email: [email protected] Boston, USA | Oxford, UK
Australia and New Zealand Sales: Tel: +61 2 9409 9100
Email: [email protected]
