Security and Personal Mobile Devices: Consumerisation of the Workplace

How does a business cope with the proliferation of personal mobile devices in the office? Not just mobiles, but laptops and tablet computers too? The problem is not new, but it is growing.

Not so long ago consumers would peer in through the smoked glass panoramic windows of business to admire and envy the tools that were available to those inside. Access to the internet was for most people above a certain age first experienced at work. Their first PC, first mobile phone, first email, first mobile email! The list is a long one.

Today’s workplace is totally different. Staff bring in the toys they use at home and often frown or laugh at their employer’s old fashioned proffering. IT departments now gaze back out through the self-same floor to ceiling windows with reverse envy and spend their time worrying about the security of their network.

A study of a small business

I recently did some work with a UK company on their communications and cloud strategy. The company provided 67 of their 115 employees with a mobile phone; 50 BlackBerrys and 17 mid-range Nokias.

30 staff also carried with them their own personal mobiles. Of the 30, eight people also received a company phone and actually used their own phones for business purposes in preference to those supplied by the employer. A further seven staff who were not given company mobiles used their own phones to pick up company email making a total of 15 out of 30 personal mobiles that were used for work purposes.

It will come as no surprise that of the 30 staff members bringing personal mobiles into work 16 of them were iPhones. The remainders were a mix of HTC, Motorola, BlackBerry and Samsung. People love gadgets.

This non-scientific survey (and it is quite likely that not all staff with a personal mobile at work responded) illustrates a point that is becoming a serious issue in the workplace.

How does a business cope with such proliferation of personal mobile devices in the office? This isn’t just mobiles. Laptops and tablet computers are just as much of a problem. The problem is not new but it is growing.

Large businesses with sizeable IT departments have long since imposed security policies on their staff, breached on pain of disciplinary action. Small and mid-sized businesses have traditionally either adopted a “laissez faire” attitude. “Not something we are worried about” or more likely “we don’t have the resources to deal with it”.

The reality is becoming harsher by the day. As life moves online the ease with which important company data can be lost becomes an issue. At the same time there is an increasing pressure on businesses whatever the size, from staff (from CEO level down) who want to be able to choose the latest and greatest smartphone for their everyday use.

The issue is security

The media is awash with stories of loss of laptops and telephone handsets. In 2011 there isn’t much distinction between the capabilities of laptops and smartphones and so the loss of either is potentially a problem. Some recent examples, found on the BBC website, include:

http://news.bbc.co.uk/1/hi/uk/7449927.stm
There have been a series of cases where confidential information has been lost or stolen.
Several laptops containing sensitive data have gone missing and files marked Top Secret have been left on a commuter train.

In one of the most high-profile cases, a private consulting firm lost a computer memory stick containing the details of tens of thousands of prisoners.

Here are other cases to emerge in the recent past:

May 2009: RAF personnel data

It emerged that data lost from RAF Innsworth in Gloucestershire the previous September included 500 highly sensitive files, containing details of individuals’ extra-marital affairs, debts and drug use.

An internal MoD memo passed to the BBC warned that the material “provides excellent material for Foreign Intelligence Services and blackmailers”.
On the same day, a report from the Information Commissioner told the NHS to improve its data security, after the watchdog had taken action against 14 NHS organisations in the previous six months.

January 2009: Prisoner medical records

A health worker in Lancashire lost a memory stick containing the medical details of more than 6,000 prisoners and ex-prisoners from HMP Preston. The data was encrypted, but the password had been written on a note which was attached to the stick when it was misplaced.

November 2008: Government computer passwords

A memory stick – holding passwords for a government computer system – was found in the car park of a pub in Staffordshire. The Gateway website gives access to services including tax returns and child benefits. The memory stick was lost by an employee of a subcontractor called Atos Origin.

October 2008: Ministry of defence data

A computer hard drive containing the personal details of about 100,000 of the Armed Forces was reported missing during an audit carried out by IT contractor EDS. It is thought to contain more than 1.5m pieces of information, possibly unencrypted, including the details of 600,000 potential recruits, a small amount of information about bank details, passport numbers, addresses, dates of birth, driving licence details and telephone numbers. The Ministry of Defence police said it was investigating the disappearance but it is not yet known whether or not it was stolen.

September 2008: Justice and RAF employee details

The government confirmed that a portable hard drive holding details of up to 5,000 employees of the justice system was lost in July 2007. The details of employees of the National Offender Management Service in England and Wales, including prison staff, were lost by a private firm, EDS. Officials only realised the data was missing in July of this year. Justice Secretary Jack Straw launched an inquiry.

Also this month, the MoD admitted that tens of thousands of personnel files had been lost from RAF Innsworth in Gloucestershire. Hard disks containing the data, which included names, addresses and some bank account details, were taken from a secure area.

Mobiles also hit the news, perhaps not with quite such an impact:

http://www.btp.presscentre.com/Media-Releases/DETECTIVES-ISSUE-WARNING-AFTER-SPATE-OF-IPHONE-SNATCHES-LEWISHAM-SOUTHWARK-WANDSWORTH-MERTON-13ae.aspx
Detectives from the British Transport Police (BTP) Robbery Squad warned passengers to remain vigilant after a series of iPhone snatches on trains and at stations in south London.
Six iPhones had been wrenched from passengers in the previous two months and investigators that day released images of two men they wanted to identify in connection with the incidents.
Jailed on January 10, 2011 : Chris Osuh – A bogus beggar who snatched up to 28 iPhones from coffee shop tables

According to Alan Campbell, Minister for Crime Prevention at the Home Office 228 mobile phones are reported stolen in the UK every hour. In 2009, over 100,000 mobiles were stolen by organised crime simply for resale into the refurbished handset export market.

Should small and medium businesses be concerned?

A small business owner might not think it a big deal to lose a handset containing emails from his customer. His customer might though.

In fact as a business moves its data inexorably towards the cloud and access to this data is required from anywhere, the importance of managing security is heightened whatever the size of organisation. Companies, therefore, large and small, need to think about their approach to mobile security.

Informed opinion that says within the next few years a business will not supply its employees with a telephone handset but contribute towards the cost of a personal device, which will widen the choice for staff. If this is the case then that business will need to be able to manage multiple handset types across multiple operating systems – a problem that did not exist when the choice was simply BlackBerry or, say Windows Mobile.

In our survey of mobile telephony usage, another interesting feature came to light. All the respondents using personal mobiles to pick up work emails said that their handset (and in some cases iPads and laptops) was protected either by a PIN or swipe pattern recognition application – a far from satisfactory method as regularly used patterns can easily be seen on a screen because of the smudge marks left by fingers.

The drivers for this tended to be “I don’t want to be fraped”. To be fraped is to have someone access your Facebook account and leave embarrassing or unwanted status updates that look as if they have come from the account owner. People leave passwords on these mobile devices in cookie form to avoid the log on process for different online entities.

A serious issue in respect of how mobile security is handled is how it relates to a company’s conformance to data protection standards such as ISO27001. Many businesses, large and small seek to conform to such standards in part because their customers expect it in an online digital world, but also because it forms a sensible approach to best practice in how to run a business safely. Not managing employees’ use of their own personal devices in the workplace can seriously compromise a business’ position in respect of these standards.

Secure connectivity to the internet

If these same people are accessing the corporate network from their mobile devices then serious consideration needs to be given to both the internet access policies for these mobile devices and the way they implement passwords. Consideration should also be given to what is done in the event of a lost device. Only one of the respondents using their personal mobile for work had “remote kill” set up so that data could be destroyed if the device was lost or stolen.

As far as internet access policies go, bigger companies tend not to have a problem. They will typically have their own private network connection into a major mobile carrier. Called an APN (Access Point Name) this connection allows a company to manage the internet access of its staff when using a company-provided mobile handset. In this way unsuitable network use such as access to pornography or perhaps social networking sites can be controlled.

An APN is not a cheap proposition which is why it usually remains the domain of large corporates. This is unfortunate from a small and medium sized business perspective because as well as allowing greater control over access to network data, an APN brings with it other serious benefits.

For example, a phone using a corporate APN will have much better connectivity throughput than a normal 3GVPN connection because it doesn’t carry the packet overhead of the VPN technology (ipsec etc). This overhead can amount to 100kbps which is a substantial part of the total bandwidth available in many areas.

What’s more, because a device connected to an APN is automatically connecting to the private network it does not need a manual dial up process. If a handset is on the move then the process of reconnecting when data access is lost can be very trying.

If this is only open to large businesses then do small and medium sized companies care? It is difficult to imagine a world in the very near future where handsets are anything other than smartphones with their thirst for data.

All the industry forecasts point towards a huge growth in mobile data use. For example, according to Ronan Dunne Chief Executive Officer, Telefónica O2 UK on the O2 blog back in June 2010, the mobile operator was seeing a doubling of its data traffic on its network every four months. All businesses are going to have to be able to cope with mobile access to their networks across multiple device types.

Other than perhaps being an interesting read, where does this preamble get us? It all points to a growing emergence of what is called a next generation Mobile Internet Service Provider.

Most people will think of the company selling them mobile services in terms of sharp suited sales people with wide knotted ties driving fast cars. For years it has been all about getting the best deal, the lowest price with perhaps a sprinkling of customer service. This type of mobile service provider is about to die out – the unification of mobile and internet technologies calls for a totally different skillset.

The drivers are really as discussed already in this document. The requirements of businesses for mobile services are merging with their fixed line needs. Access to online resources needs to be via both fixed and mobile endpoints.

This means that the provider of mobile services needs to be able to connect with the provider of fixed data services. In an ideal world these providers would be one and the same organisation.

The synergies are clear:

• Both require 24×7 online network monitoring
• Troubleshooting needs to happen across networks
• Network design needs to incorporate both fixed and mobile elements
• On many occasions the mobile data connectivity is serving as a back up to
fixed/broadband lines

The synergies extend further when considering the cloud based services that the mobile devices are likely to be accessing. Typically these would be hosted in the core network of the ISP providing the fixed connectivity.

A single entity provider that can supply all of these elements makes a lot of sense.

Security

Security is the low hanging fruit of the modern Mobile ISP. Complementing this there is a huge carrot that comes in tandem with the stick and that is productivity. The same systems and processes that provide control over a device’s integrity can also be used to make that same device work for a business.

The drive for competitiveness includes the adoption of systems and technologies that make life easier, cheaper and more productive.

Productivity tools include asset tracking, updating and repairing software, monitoring device performance, remote control, maintaining and modifying device configuration as well as distributing and updating data and files.

One typical example is the Kent Fire and Rescue Service which uses the Sybase Afaria MDM system to update fire crews on risk issues – locations of fire hydrants or even of hazardous substances – within a building that is on fire.

Kent Fire and Rescue use two 3G connections from O2 and Vodafone on each emergency vehicle to download any information and updates to a PC. Afaria detects the amount of over-the-air bandwidth available and regulates data being sent, priority being given to critical information. This is important in a mobile environment where connectivity levels cannot be guaranteed.

Connect Plus M25 is the Joint Venture company building the additional carriageways on the M25 motorway widening project. The organisation has a team of Quality Inspectors ensuring that the works are carried out in accordance with the specification. These inspectors use a mobile application to take GPS location-stamped images of any defects, which are uploaded in real-time to a hosted content management system. From here, managers can assess the severity of the situation and take immediate action to fix the issues. This is critical as Connect Plus M25 face significant financial penalties if the work can’t be completed on time.

Other examples include on-the-fly job scheduling, stock-list updates, application maintenance guides, customer authentication, trickle-feed loading of data warehouse and mobile marketing displays; all by and large involving the control and movement of data over wireless networks.

The emergence of Timico as a Mobile Internet Service Provider

Timico is emerging as a leading player in the Mobile ISP space. The company is already a well established mobile service provider and is focusing its efforts and resources on growing support for mobility.

Building on its ISP experience of network management, Timico has assembled an unrivalled set of capabilities to serve this market:

1. Mobile Device Management and Mobile Device Security
A hosted version of the global market leader (20% market share) Sybase Afaria® platform, it allows access to world class MDM and MDS technology on a Security as a Service basis. Sybase Afaria has been recognised as the leader in mobile device management enterprise software for eight consecutive years. It provides businesses with a single administrative console to centrally manage, secure and deploy mobile data, applications and devices.

The Timico service is device OS agnostic and can manage all the main vendor types including Apple’s iOS, RIM BlackBerry, Android and Windows Mobile 7. As a hosted cloud based service that involves OPEX rather than CAPEX the service is also affordable for small and medium sized bBusinesses who might otherwise not be able to afford the solution.

a. MDM helps a business monitor, manage and support a wide range of mobile device types – remote configuration, real time asset management and over-the-air application management
b. MDS features include password enforcement, local data encryption, remote data wipe, anti-virus updates and setting network access policies.

2 Mobile Access Management
A high speed link directly into the mobile network allows SMBs to extend their corporate networks securely onto mobile devices without using the public internet, putting mobile connectivity back under the control of the IT department. Internet access can now be filtered or restricted entirely. Mobile devices are ‘behind the firewall’ so there is no need for a VPN and internet usage policies can be extended to mobile users. This is the first such “multitenant” service from O2 in the UK and is the first time that this type of service has become affordable to SMBs.

3 Mobile Application Development
Bespoke mobile apps, such as the award winning hand-e-pix application are developed from initial concept through to design, testing and implementation. Timico has a team of developers with experience across all the main operating systems.

4 Mobile Service Provision
A comprehensive suite of services including voice and data airtime, billing portals, reporting, technical support and professional services.

5 Mobile Hardware Provisioning
The supply, configuration and support of all mobile hardware requirements including smartphones, tablets, 3G modems and ruggedised devices.

Whilst large companies may already have the spending ability to access many of the services described above, this is not true of smaller organisations. The Timico Mobile ISP service set takes away this problem by moving the capability into the “cloud” and offering an OPEX based as opposed to a high up front CAPEX cost.

This opens up a huge new market area in the UK – the hundreds of thousands of SMBs that have the device management problem but haven’t been able to do anything about it.

Comments

IDC (analyst quote)
“The increasing acceptance of individual-liable devices in the enterprise will continue to be an important driver of activity in the mobile device management market throughout the forecast period. This is due to the increased number of mobile operating systems that IT will have to support as well as the added security risks these devices can present,” wrote Stacy Crook, senior research analyst with IDC

Conclusion

It’s tough out there for business in the 21st century. Companies more than ever need to focus on their core competencies to maintain that competitive edge. Moreover the winning company is likely to be the one that most successfully embraces the tools that will cut their costs and increase their productivity.

The increase in use of smartphones and tablets can cause problems but also have tremendous benefits. Partnering with a communications service provider that is a Mobile ISP as well as an ISP seems to be a natural progression.

Offering hosted services is in keeping with the move of data into the cloud and opens up the technology to all.

Published by Trefor Davies

Liver of life, father of four, CTO of trefor.net, writer, poet, philosopherontap.com

Join the Conversation

3 Comments

  1. If I were a business owner I would want a bunker app that requires a fingerprint from a warm finger AND a password to unlock. Once the app is open the user can access company materials both local and remote with the access and encryption / decryption managed by the app. There would also be a timeout that would require a fresh, warm fingerprint to prevent the shutdown of the app.

    Hypothetical bunker app. features :
    Fingerprint reader via built-in camera (infrared capability ?);
    Encryption / decryption module;
    VPN or equiv.;
    Remote purge of bunker’s local storage*;
    Timeout ranging from 15 mins. to four hours (one hour default);
    Phone-home module with a three strikes trigger.

    * This way only the company’s data gets purged. The personal data is left intact.

    P.S. I’ve worked for what was a sort of government contractor here in the U.S. The agency we worked with was very sensitive to issues of access control in general and data retention at our remote locations in particular.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.