Mobile users and personal devices

Who's responsible for ensuring security?

Workshop Business today is a very different beast to that of just five years ago, and a world away compared to ten years back. While some of us are undoubtedly still office based, there has been an equally clear trend towards more flexible working which is less dependent on a fixed location. The spread of Wi-Fi in the home and workplace and then in public areas made mobile working feasible and even tolerable. And with increasingly effective connectivity technologies such as 3G, mobility for all its good or ills is here to stay.

The move to mobility has been arguably wondrous for productivity, but has been a difficult transition for security. Just under half of you reported that your workforce has a poor or very poor approach to IT security, which is a difficult situation to resolve, even with the best policies and most comprehensive training. Coupled with the tendency of users to try to connect to any available network and a susceptibility to fall victim to exploits of unpatched vulnerabilities, virus outbreaks and phishing attacks, mobile computing has experienced (more than) its fair share of horror stories.

New technologies aimed at managing and securing the notebook estate have emerged. These include comprehensive group policies, systems & patch management, NAC, advanced end-point protection, intrusion protection and identity protection. Plus there are newer initiatives such as disk or folder encryption to protect sensitive data. While these have been deployed with various levels of success, at least they exist and are available.

Now that notebooks are firmly established as an enterprise workhorse, a new challenge has arisen. The growth of smart devices that act as productivity enhancers and electronic communicators par excellence threatens to take us back to the dark ages of management and security yet again.

At the dawn of the smart phone age the devices were expensive, crude and very corporate. They were generally managed and deployed by IT as part of a controlled rollout, usually to quite small groups of senior users.

The last couple of years, characterised by products such as the iPhone, have seen some fundamental changes in the market and people's expectations. Smart phones became low cost (OK, relatively low cost), more sophisticated and positioned for consumer tastes. Apple's success has spurred on the likes of Nokia, Palm and Microsoft to speed product development and developer ecosystems. Even Blackberry, the enterprise email stalwart, has quickly moved to try and capture the consumer market. But in the case of the new wave of smart phones, it has been employees as consumers, not the IT department, that have driven uptake and use.

Part of the attractiveness of the new wave of smart phones is the blend of both consumer applications and interactivity of the devices, together with the ability to connect to work systems, something that enterprise focused items had spectacularly failed to do previously. This blurring of the lines between personal and professional identities is something that needs to be managed carefully. People cherish their beloved gadgets, but are also spectacularly careless with them as they take them through life's ups and downs. Witness the discovery of a lost iPhone prototype in a San Jose bar after a party. Although the loss has now revealed Apple's potential hardware design, the data and new operating system features were protected from discovery through remotely wiping the device. In the ideal world, the company would specify and provide a (very) limited range of devices to the workforce, and the employee would be happy to be provided with one. These devices could be more easily deployed, managed, supported and secured. The reality is that these are intimate devices, and very personal. If what the company provides is not appreciated or is found to be wanting for functionality or desirability, then employees will look to acquire devices on their own to do their job more effectively. In many situations where companies provide a device such as a Blackberry, the employee will still carry another gadget to get around the restrictions imposed by using the corporate machine.

So this then leads to a dilemma. If the company strictly limits the devices employees are able to use, it may just encourage them to use unsupported ones in secret, allowing a back door to open up. On the other side, should the company be prepared to allow employees to supply their own devices, and what if any restrictions should be implemented? A free-for-all would just be asking for trouble. Considering a shortlist (or not so shortlist) of approved devices may be suitable to give enough choice for general satisfaction without going overboard with coverage.

Once the question of user choice of device is decided, the issue then revolves around management, security and support. If the device is provided by IT, management and policy should not be an issue. But if an employee supplies the device, where should the dividing line lie? The device must be secured, but at whose discretion or expense? Arguably, by tacitly allowing use of a personal device on the network, the company must then provide a list of required software and configuration information or policy. Ideally, the company would also be able to provide the software for the employee. However, issues such as benefits-in-kind tax may be a concern, as may the ability to extend corporate or volume licences to equipment not owned or controlled by the company.

There is also the issue of granularity of protection. What exactly should be covered in a remote wipe? If the user loses the device should everything be reset in a big bang, or only specified applications and data? What if the employee has pictures, personal messages or similar that are not backed up anywhere but are wiped from a lost device that is subsequently found?

Finally there is the thorny issue of identity management and the confidence that the person using the device is the legitimate account holder. Company notebooks and such like are more easily secured by means of complex passwords and multiple authentication procedures, such as smart cards or one-time tokens. Establishing links with domain accounts by means of a SIM card or phone number may help. But the issue remains that smart phones and newer devices still have a way to go to match their notebook cousins for security.

As ever we would be very happy to hear how you tackle these issues. Please let us know in the comments section below.

Similar topics

Other stories you might like

  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading
  • Utility biz Delta-Montrose Electric Association loses billing capability and two decades of records after cyber attack

    All together now - R, A, N, S, O...

    A US utility company based in Colorado was hit by a ransomware attack in November that wiped out two decades' worth of records and knocked out billing systems that won't be restored until next week at the earliest.

    The attack was detailed by the Delta-Montrose Electric Association (DMEA) in a post on its website explaining that current customers won't be penalised for being unable to pay their bills because of the incident.

    "We are a victim of a malicious cyber security attack. In the middle of an investigation, that is as far as I’m willing to go," DMEA chief exec Alyssa Clemsen Roberts told a public board meeting, as reported by a local paper.

    Continue reading

Biting the hand that feeds IT © 1998–2021