Home & Office

Security possible amid unpoliced devices

Slashed IT budgets leave little room to manage individual mobile devices, but companies can still keep networks secure through policy planning, say experts.
Written by Victoria Ho, Contributor

While slashed IT budgets may leave little room for companies to support employee mobile devices, network managers need not worry the unpoliced access points will create security holes, say security firms.

Companies that have cut network support for employee mobile devices in an effort to save cost, face unknown security risks since these once-managed end-points are now hidden from network managers.

Unmesh Deshmukh, Symantec's director of endpoint security sales for Asia-Pacific and Japan, told ZDNet Asia the greatest fear companies have surrounding mobile user end-points is loss of data. Unprotected by security tools, these unpoliced devices create entry points for unauthorized data access by third parties and viruses, Deshmukh.

Quoting a recent Symantec survey, he said the top security concern for small and midsize businesses (SMBs) in Singapore was remote devices connecting to the network, with 74 percent of respondents indicating so.

Chia Wing Fei, security response senior manager at F-Secure Security Labs, said the portability and large storage capacities of mobile devices give users, if unpoliced, the ability to store large amounts of data, including confidential information. "These ubiquitous devices are harder to keep track of than laptops [because of their] size," Chia said in an e-mail interview.

However, companies should not resort to completely blocking mobile access.

Navneet Singh, Cisco Systems' IronPort corporate product manager, told ZDNet Asia in an e-mail: "Companies cannot block these endpoints from being used.

"Everyone today recognizes the productivity gains and other benefits that result from teleworking, and in addition, pandemics like swine flu are forcing companies to extend teleworking capabilities to more employees," the Cisco executives said.

Mobile security policies
Symantec's Deshmukh recommended some best practices companies can implement, if they do not have the means to secure individual mobile devices.

Employees should be reminded to be vigilant about personal security and not store sensitive data on mobile devices, he said. Companies should also ask employees to use only secure wireless connections when accessing the corporate network remotely and to disable bluetooth and wireless signals, ensuring bluetooth headsets pair only with the individual employees' handheld devices, he added.

Chia of F-Secure said organizations should put in place defined security standards and policies, implemented from top-down and company-wide.

"With the approval and support from the management team, the management of these devices can be done more effectively," he said, adding that technical solutions then act as countermeasure to further mitigate security risks.

Paul Ducklin, Sophos' Asia-Pacific head of technology, said enterprises and their employees can meet each other halfway to reap the benefits of mobile working.

"Users shouldn't expect to connect their own portable devices to the company network, or to use their own mobile phones for work without agreeing to abide by official corporate security policy, even though they own the devices," Ducklin explained in an e-mail.

IT departments, on their end, should not block access to every mobile device and should "consider paying small licensing fees needed to protect those devices", he said.

He recommended companies deploy network-based technology such as Network Access Control (NAC), device control and data loss prevention devices, in addition to setting policies such as prohibiting devices that are unsecured. SMBs can also explore network equipment that come integrated with a combination of these security tools, he added.

Editorial standards