Quocirca's Straight Talking: Mobile security - how to get it right

As mobile working takes off, too few organisations are addressing security properly. Quocirca's Rob Bamforth offers some advice on how to make sure you end up safe not sorry.

Is your business committed to mobile security or simply involved?

The difference between involvement and commitment is often represented by the role of a hen and a pig in a breakfast of bacon and eggs - the hen is involved, the pig committed.

Many employees are increasingly being issued with smart phones, BlackBerrys and the like to access their email; a networked PDA to access form-driven applications; or a wireless laptop to access all sorts of enterprise resources. But are workers actively committed to the whole process of keeping the organisation secure - or simply, passively, just 'involved'?

Some might view passive involvement as just fine. After all, if there are tools in place to automatically secure everything without the individual's active involvement, surely that's the best approach.

Outside the realm of IT, many things have moved from active to passive with some apparent benefit. For example, modern car brakes using ABS remove the need for a driver to exercise the skill of cadence braking. The braking system automatically applies and releases the brakes to avoid skidding. Arguably some skill has been lost, and drivers are more blasé about the ability of their vehicle to deal with any potential loss of grip, but overall ABS is widely seen as a benefit.

Still the benefits of taking decision making away from the individual are not always that clear cut. Take domestic door locks. Self-locking latches may appear to be more secure as they passively lock when pushed closed but many insurance companies still prefer the positive and definitive engagement of a mortise deadlock, ideally multipoint etc. Anyone who's ever accidentally locked themselves out with a self-closing latch might think then same.

So what does that mean to enterprise mobile security?

While there are ways to protect mobile devices and data - through antivirus software or synchronisation, for example - organisations should not allow individuals to abdicate their responsibility.

Getting employees to take responsibility when carrying and using the company's assets helps offset the most important mobile security issues: data falling into the wrong hands or being lost through device theft, loss or damage.

But it's not only a benefit from the security perspective. Involving users allows a better understanding of whether a deployment will be a success and whether it will deliver the intended productivity gains or not. Not only can users see where the niggling inefficiencies are but the productivity is dependent on their attitude and goodwill. Win over their active involvement early and the project should run more smoothly.

That's not to say IT managers should ignore tools that add layers of protection to mobile data and devices - they should still evaluate them for deployment, as this will help reduce the risk. However those in the company that tend to believe security is 'somebody else's problem' need to be encouraged to do their part.

Managers in particular need to review their attitudes. Quocirca research shows that more than a third of general business managers do not believe it is important for a security policy to cover the use of mobile, wireless or cellular devices.

Organisations should also come up with a mobile security policy. It doesn't need to be a weighty tome, just a simple, well communicated view of the organisation's attitude to security. If you expect your employees to have the right attitude, you have to show the organisation is committed too - managers need to recognise their role as pigs, not chickens.

For further details, and a mobile security action plan, download Quocirca's free Securing the Enterprise white paper here.