Mobile computing has made today’s workforce more connected, more available to the business and more productive than ever before. But the mobile revolution is by no means over.
End users are demanding higher levels of mobility, collaboration and information access. Meanwhile, the availability of content on mobile devices, coupled with a broad spectrum of collaboration technologies, hold the potential to make today’s employees even more productive.
However, the one thing that underpins these transformation technologies and processes is security. Security – specifically data protection, data loss and secure business communication - remains a top priority for IT leaders, particularly as the proportion of mobile and remote workers continues to grow within the organisation.
Mobile security will continue to be a major concern as businesses work more closely with customers and partners, collaborating and communicating with them across both geographical distances and computing devices. More porous organisational boundaries require companies to establish multiple levels of security in order to protect their data, their employees, their customers and their partners.
CIO Magazine, in association with Box, carried out an exclusive survey of a hundred senior IT decision-makers in companies of 1000 employees and above to gain an insight into the state of play of mobile business applications.
We particularly focused on the security aspect. The vast majority - 90% of CIOs - said they believe their role is to create a secure, creative and user-friendly environment for their employees to do their day-to-day job. Only 6% disagreed, and 4% were unsure.
In many ways, this encapsulates the change in culture that companies have experienced. Technology leaders feel a responsibility to enable employees to enjoy the experience of using business applications, as well as having the means to communicate and collaborate effectively. But at the same time, they recognise that the onus is on the CIO to provide a coherent security strategy.
Whilst IT security has been an issue since the birth of computing, the security context has changed over time. Today’s businesses operate in an environment where security is required at all levels because of the increase in mobile and remote working, and the close collaboration between businesses, supply chain partners and customers.
Recent high-profile hacks have highlighted the need for even more stringent security measures; and if leading technology and media companies can fall prey to malicious users, it raises the stakes for the whole industry.
With this in mind, our research found that 8 in 10 organisations believe there is room for improvement, and that their business content could be more secure than it is with current systems. Only 16% of companies have a system in place that is considered very secure, with a small proportion of CIOs admitting that their systems were not secured at all.
The opportunities surrounding mobile business applications and their potential to be a disruptive force in the enterprise space has been discussed for a long time. Many companies are looking at how they can create greater value from their information by using analytics and business intelligence systems to mine it.
They are also looking at opportunities to share it more widely across business departments and industry partners, to create new services, revenues and efficiencies. Mobile applications, accessed from tablets, laptops and smart phones, are a key platform to enable this.
However, our research discovered that just 39% of CIOs said they have complete control of how business content is used across mobile applications within the business. More than half of respondents, 57%, said they do not have complete control of how business content is used across mobile applications within the business, and 4% didn’t know. These figures should give cause for concern.
It poses a problem when it comes to exploiting business information, and indicates that there is room for improvement in securing and monitoring content that passes through - or is generated by - mobile platforms.
Stacy Crook, research director, Mobile Enterprise Research at analyst firm IDC, puts it this way: “While enterprises are rapidly embracing cloud and mobility for competitive differentiation, they need to consider the potential security implications of their strategy each step of the way. Mobile devices and the usage patterns associated with them open new threat vectors and opportunities for vulnerability.”
She adds that in order to combat these risks, enterprises are relying on a number of security technologies, often in conjunction with their enterprise mobility management vendor, to improve the level of trust associated with their mobility operations.
Analyst firm Gartner adds that during 2015, three quarters of mobile applications will fail basic security tests as enterprise employees download programs from app stores and use mobile applications that can access enterprise assets or perform business functions, with these apps having little or no security assurances.
“Enterprises that embrace mobile computing BYOD strategies are vulnerable to security breaches unless they adopt methods and technologies for mobile application security testing and risk assurance,” says Dionisio Zumerle, principal research analyst at Gartner.
He adds that most enterprises are inexperienced in mobile application security, and even when they undertake application security testing, it is often done casually by developers who are mostly concerned with the functionality of applications, not their security.
Gartner predicts that by 2017, the focus of endpoint breaches will shift to tablets and smart phones. The firm recommends that enterprises focus on data protection on mobile devices, through usable and efficient solutions such as application containment (via wrapping, software development kits or hardening).
On a positive note, there are now many mature security solutions and options available to enterprises for them to secure their mobile content and users.
These start at the chip level, with speedy processor-based data encryption, and full disk encryption. At this hardware level, security features can include power-on password protection to prevent unauthorised access; and device intrusion protection that uses the native device capabilities to prevent malware or hacks to the infrastructure itself.
Organisations could also utilise file and folder encryption. For example, Box, which offers secure content management and collaboration for individuals, teams and businesses, uses data and folder-level security, linked to user profiles in order to help businesses control how individuals access folders and data.
User authentication and secure logins to mobile platforms offer another level of protection. And at the application or data centre level, virtualisation security can be used to encrypt virtual sessions and workloads.
In terms of securing mobile devices, more than two thirds of respondents cited mobile device management (MDM) as their number one initiative to implement in 2015. MDM is the traditional method of securing smart phone and tablet devices. It allows the IT staff to have full control over the entire mobile device if they decide to, or only control the company data and apps.
From the employees’ perspective, MDM may seem obtrusive because the IT team can take over their mobile device, as they can their corporate PC or laptop, even if they don’t choose to exercise that power. Employees tend to get attached to their device, putting personal information on it as well!
An alternative to MDM is application containment, mentioned above, through the use of ‘Containerisation’ - also known as Dual Persona. This is where a secure container is deployed to a mobile device which provides a completely secure platform to run corporate applications. This solution can offer separation between personal and company information, keeping corporate data secure. By keeping company email, contacts, calendar, and apps in a separate, secure, encrypted container on the smart phone or tablet, the organisation does not have any visibility into the employee’s personal device, apps, and data, and is limited to controlling only the container.
Dual Persona is starting to become a preferred option for BYOD because it provides peace of mind, and separates personal and company data. However, MDM platforms have the advantage of providing the same security policy and settings across the company’s smart phone and tablet estate, no matter what operating system they are running.
Alongside these mobile security technologies, Android, Apple, Microsoft and others all offer their own security features for particular devices. For example, some Samsung Android devices support Samsung Approved For The Enterprise (SAFE). This works with Microsoft ActiveSync EAS encryption, so corporate emails and contact information can be accessed securely.
SAFE also incorporates AES 256-bit On Device Encryption (ODE), IP-based VPN encryption and support for MDM applications. Platforms such as SAFE bring to Android the sort of controls found on iOS or Windows mobiles.
“Security and risk professionals often turn to endpoint encryption technologies to protect corporate data, meet regulatory requirements, and prevent accidental data leaks,” comments Chris Sherman, Forrester Research analyst, serving security and risk professionals. “Full disk, file-level, and media encryption are three of the most commonly used technologies, with many vendors offering multiple options within the same product/suite,” he adds.
Different organisations have different requirements, and need to choose their security based on their own criteria. For example, businesses will have different regulatory requirements and need differing levels of security, with some approaches being impractical from a governance perspective.
Secondly, using multiple levels of security on the mobile device - such as secure containers, data encryption, anti-malware and MDM - means the IT department is adding more things to the user’s device. Consequently, it increases the cost and complexity of each mobile, and can increase the management burden.
Our research found that CIOs are clearly grappling with all of these issues. We found that more than a third of UK organisations are considering implementing Mobile Application Management (36%), mobile content collaboration (31%), BYOD initiatives (29%) and corporate-led mobile device polices (27%).
The latter includes Choose Your Own Device (CYOD) where employees are offered a suite of choices the company has approved for security, reliability, and durability. These devices work within the company IT environment but the employees own their phone or tablet: either they paid for it themselves and therefore own it, or they get to keep it for the duration of their employment.
It also includes Company-issued, Personally-Enabled (COPE) devices where the business supplies employees with a phone or tablet that is chosen and paid for by the company but they can use it for personal activities as well. The company can decide how much choice and freedom their employees have. COPE is the closest model to the traditional method of device supply: Corporate-Owned Business Only (COBO).
With schemes such as BYOD, CYOD and COPE, user authentication is a key way to secure employee access to corporate assets. According to our survey, mobile content and business applications are secured by user authentication in 86% of UK organisations.
The indications are good that CIOs are deploying an array of mobile content security technologies, giving them a robust platform upon which to build as their mobile usage expands. Our survey found that basic MDM capabilities; encrypted user sessions; and security training are each used by over half of UK CIOs.
Other types of mobile content and business application security techniques that are being used include: integration with enterprise mobility management (EMM) (26%), centralised MCC controls (25%) and document level encryption (24%). This is all very good news, but, again, indicates that there is still work to be done for many organisations if they want to succeed in the new mobile world.
All roads to the digital future lead through security, and secure mobile content collaboration will only grow in popularity as businesses encourage more employees to work through mobile and remote means. Whilst it’s not possible for organisations to provide their employees with a completely secured environment, there are many tools, technologies, platforms policies and techniques available to secure business content.
Going forward, more technologies will emerge to mitigate the risk of pervasive computing. These include applications that are security-aware; even more granular and powerful encryption; context-aware and adaptive access controls; stronger user authentication; and more sophisticated and intelligent mobile management.
As a result, organisations will be able to share business information more confidently across business units and employees, and with customers and supply chain partners. The question is: are you ready to capitalise on secure mobile content collaboration?
To find more about Box visit https://www.box.com/home