Smartphone Security Is The Elephant In The Boardroom

Using business phones for personal use presents security challenges that few firms can meet effectively, claims Ovum

The smartphone revolution is causing security concerns for businesses that provide their workers with mobile devices for personal and business use, according to research by Ovum.

The dual use of smartphones is being termed “consumerisation” and, according to the study, eight out of 10 respondents believe that consumerised business phones could make their corporate information vulnerable to attack, with data leakage cited as the top security concern. Even so, 75 percent of businesses allow their phones to be used as a personal phone.

Business And Social Networks Conflict

According to Ovum principal analyst Graham Titterington, nine out of ten of the interviewees had already equipped their workforces with smartphones, or had imminent plans to do so. The most popular device being RIM’s BlackBerry which communicates using encrypted data streams but may be compromised if lost or stolen.

Many of the enterprises expressed concerned about employees mixing work-related tasks on their mobile devices with social networking, web conferencing, media sharing and other personal activities. For 48 percent of the companies asked, the reverse of consumerisation was true with staff using personal phones for business use, an even greater security headache.

“Employees will want to use their devices, no matter who owns them, for both their work and personal lives,” said Titterington, author of the Corporate Mobile Device Use and Security report. “It is unrealistic to delineate between these uses for employees who are mobile and working out of the office for a large part of their time. That means organisations must establish a holistic security strategy that addresses the consumerisation of this fast-growing channel into corporate networks and data.”

Though strong concerns exist, many of the respondents seem to be relatively cavalier about security. Only 52 percent of organisations said they used some form of authentication for mobile users, and over half of them rely on typically inbuilt protection which uses simple user name and password protection.

Only 18 percent use public key infrastructure (PKI) certificates, just nine percent impose two-factor authentication using one-time passcodes, and a quarter of them use anti-malware.

EEMA’s Focus On Securing Mobile Devices

The research was undertaken on behalf of the European Association for e-Identity and Security (EEMA) in preparation for a co-hosted meeting, with Symantec, of the EEMA UK Regional Interest Group in London next Wednesday.

“For many professionals, the mobile phone has become a mobile office,” said Mike Jones, mobile security specialist at Symantec, “but that doesn’t mean enterprises need to leave themselves vulnerable to data breach, malware and other threats. A layered approach to mobile security allows enterprises to protect themselves, and their users, at every point of access – even before a phone receives a message or data transmission.”

Roger Dean, a director at EEMA, sees the predicament as an “elephant in the room” problem. The business imperative for smartphone implementation, knowing that a security risk exists, is too great to ignore but a lack of understanding on how to combat it drives many businesses to ignore the issue.

“As this new study bears out, putting a smartphone security strategy in place is now a business imperative,” he said. “But how many organisations have the in-house expertise required to develop and implement a mobile strategy that fits seamlessly with their overall security profile?”