Can mobile working set new standards of security?
Or are managers right to fear the growth of remote working?
Some CIOs curse mobile working because of the security implications, but could flexible working actually be a route to better, rather than slacker, security? Mark Samuels reports.
"CIOs simply must get the business used to working remotely because employees increasingly live and work in a mobile environment," says Vodafone CTO Jeni Mundy, an IT leader who speaks as someone who has created and implemented strategies to increase flexibility.
It's a call to action that reflects the mobile nature of modern business - but is it realistic, especially given the continued security concerns that surround flexible working? After all, as many as 38 per cent of CIOs still view improved security as a business priority for 2010, according to research by Opinion Matters on behalf of Vodafone.
And while improved workflow, employee engagement and staff retention are identified by the research as the major benefits of flexible working, potential improvements to security do not figure in the list of top achievements.
Business data beyond the firewall
The thought of employees carrying information - or the means to access that data - in their pocket and bags still seems to cause a degree of panic among IT leaders and their line-of-business peers.
The result is a perception that, rightly or wrongly, mobile technology is more insecure than fixed-down desktop tools. "CIOs don't see security as a benefit of flexible working," says Mundy. But why is that the perception and should security actually be an anticipated benefit from the establishment of flexible working practices?
The deployment of mobile applications can provide an opportunity to improve security
(Photo credit: Shutterstock)
The starting point for answering such a question is an apparent contradiction: IT leaders want technologies that drive end-user flexibility, but which at the same time allow increased control and manageability. While increased productivity might be the aim, research from analyst house Yankee Group found as many as 44 per cent of technology chiefs' primary concern when deploying mobile applications is the inadequacy of data security technology.
"At a general level, it's fair to say that any policy needs to carefully balance the advantages gained from an increasingly mobile workforce with the security management requirements," says Chris Marsh, senior analyst at Yankee Group.
"While there are specific actions that can be taken in the corporate environment, an adequate solution transcends what the enterprise can do alone and also calls on action by vendors and operators."
Allaying security fears
If that level of partnership can be created, fears can begin to be allayed - and Zafar Chaudry is one IT leader who believes flexible remote working does provide significant benefits. The CIO of Liverpool Women's and Alder Hey Children's NHS Foundation Trusts says security has to be a key concern for technology chiefs, but doesn't feel that there are necessarily grounds for panic.
"CIOs need to ensure that any access to key business systems from any remote location is inherently that of a zero footprint," he says. "That means that when an employee accesses systems remotely, no data is ever left or transacted on devices. CIOs will also need to...
...become stricter about policies that govern remoter working and ensure a governance framework exists in their organisations to control, monitor and manage the associated risks."
Chaudry's concentration on the risk of data loss highlights a key concern: Yankee Group's research shows that 60 per cent of IT leaders say the potential for data or intellectual property loss is among the top obstacles they face when expanding mobility options for employees, ahead of traditional security concerns, such as malware or operational issues.
The bad news is that, alongside increased mobility and device openness, data loss incidents rose sharply between 2005 and 2008 - from 141 to 761, according to non-profit group DataLossDB.org. The good news is that increased awareness of the data loss problem, and the refinement of security products on the market which address it, has helped and only 319 incidents have been reported to date in 2010 (PDF).
Impact on business operations
However, IT leaders should not be complacent. Additional Yankee Group research shows that while just nine per cent of businesses report having had corporate data stolen in the past 12 months, more than two-thirds of these companies (35 per cent) believe the incident greatly disrupted business operations. So, what can be done?
Look first to your own people, suggests John Adey, chief operating officer and CIO at Star Technology Services: "Technologists would love to look to IT to solve all their social engineering problems. A good IT leader considers the people factor and knows that training is just as important."
Adey says his company trains staff on a continuous basis in an attempt to maintain a good understanding of employees' responsibilities for customers and their data and he calls on other CIOs to take a similar stance. "There is a huge opportunity for the IT organisation to rise to the challenge, meeting a new generation of employees with new requirements," he says.
"Such mobile individuals might not always have a strong understanding of security implications. They expect freedom and CIOs need to create a path that balances expectations with security and the maintenance of intellectual property."
Balance between flexibility and security
A suggestion that leads us back to Vodafone's Mundy, who is an IT leader who has already worked to balance flexibility and security. She has helped push an internal project called the Vodafone Way that has implemented changes in the way employees work in terms of their physical location and their technical collaboration.
Flexible employees at Vodafone's Newbury headquarters work in zones, rather than at a fixed location, and are encouraged to sit with different colleagues as much as possible. Such flexible working is supported by the provision of catch-up areas, business centres and videoconferencing technology.
The aim should be to use the introduction of flexible working as a means to better, not slacker, security and Mundy stresses that a right-thinking CIO will not establish flexibility unless standards are in place. "Vodafone is expected to be one step ahead in terms of mobile security and we've placed a lot of emphasis on testing to make sure our smart devices are secure," she says.
With senior sponsorship at the chief executive level, Mundy and her colleagues have been able to change the internal mindset towards flexible working. She encourages other IT leaders to prepare for the transformation sooner rather than later.
"Technology chiefs need to achieve the balance between what people need to do and where, but in a secure manner," says Mundy. "And that is about using technology to increase mobility and reduce the potential for a negative event."