While passcodes, encryption and virtual private networks should be standard security practices for tablet-style devices used in the corporate environment, businesses need to do more to ensure privileged data doesn't leak into the wrong hands, or when bring-your-own tablet strategies aren't viable, according to CA Technologies.
With the market for PCs falling and tablet sales set to surge, it won't be long before tablets become commonplace in the enterprise space. Already, some organisations are aiming to bring the devices on either as company-issued or in a BYO fashion.
"I've got a couple of clients that are in the utility space and one of the things they've just started doing is looking seriously at deploying iPads instead of hardened notebooks because they're saying I can spend $3000 to $5000 on a tough-book or I can buy six iPads for the same price," IBRS advisor James Turner said.
Like laptops, tablets run the risk of being lost or stolen, but principal consultant Trevor Iverach at CA Technologies argued that devices like iPads are not worth a great deal to a criminal now, as people aren't yet storing much company information on them.
"If we start to put emails on there that has non-public information about the organisation, financial information about clients, customers or employees, then that [value] increases," he said.
While Iverach advocated the use of security measures such as strong passwords and remote wipe capability, he said that this approach simply wasn't enough, as a simple Google search would let even less technically minded individuals access privileged information.
"What you'll probably find is a YouTube video that was around a few months ago that showed how you could break into the iPad or the iPhone within eight seconds by just plugging it into a computer," he said.
Unlike laptops, which easily allow security software to be installed, Apple and Google have made it significantly more difficult to install enterprise-level data-control software. Iverach said that no vendor has been able to get data-control software working over Apple iOS and it was very difficult to do it well for Android devices.
As privileged information can't be controlled at the device level, Iverach recommends determining what the most critical data is and how it moves about the organisation. Once defined, steps can be taken to determine whether its entry on to devices is allowed.
The control of information above the device level also brings about a secondary benefit of allowing any tablet-style device to be brought on to the network.
While Citrix and Suncorp are two organisations that allow users to bring in any device of their choosing, relatively few corporations in Australia have followed, and thus missing the potential for businesses to save on IT costs in certain cases.
"Bringing in your own device is an intriguing idea because the reduction in hardware cost on the organisation then has to deal with is phenomenal," Turner said.
He argued that organisations could potentially save on aspects such as ongoing service desk support and reduced staffing requirements, with the requirement left on the employee to resolve issues with the vendor, if they brought their own devices.
Turner also said that organisations should be doing more to assist their Gen-Y employees who have been shown to be highly innovative at finding ways to get their devices to do what they want, even if it means at the expense of the organisation's security.
"For the vast majority of them it's just a case of really ruthless expedience — how can I get what I need in the fastest, easiest way. It's going to be loyalty to them and their social network before the organisations. So the more the organisation can help them and guide the path down which they're working, the easier everyone's going to find it."
In addition, Iverach said lifting certain restrictions on devices could lift a business' productivity.
"It's a bit of a balance," Iverach said. "A lot of organisations are giving them to these people and they're discovering better and new ways of doing business and streamlining business processes. They don't want to stifle that innovation — they want to continue to allow them to use apps that are a tenth or a hundredth of the cost of implementing in their organisation."