WSJ: Danger-to-Go: Mobile Devices in the Workplace

http://online.wsj.com/article/SB10001424053111904583204576542342696584366.html

SEPTEMBER 26, 2011

Danger-to-Go: Mobile Devices in the Workplace

Workers are clamoring for access wherever they are, on whatever gadgets they want. That's a security nightmare.

By SHARA TIBKEN

As mobile devices invade the workplace, they offer all sorts of advantages to both companies and employees. But they come with one huge challenge: How do you make sure all that valuable information is secure?

That's true whether you're talking about company-issued smartphones and tablet computers, or personal devices that employees bring into the workplace. In either case, the increasing presence of such devices elevates the threat of accidental and intentional security breaches.

It's still early, but most experts are focusing their mobile defenses on three areas: the devices, the mobile data and apps, and company networks.

"The reality is we're all struggling with the same thing," says Dave Codack, vice president of employee technology and network services at Toronto-based Toronto-Dominion Bank. There are lots of options, and the technology keeps changing. Mr. Codack's personal advice for those trying to sort out the mobile challenge for their company: Give employees at least some mobile access through their own devices until you can figure out what's best for the business.

In the meantime, here's how some companies are managing their quest for better mobile security.

Devices

Most experts say the biggest concern is what can happen if mobile devices with access to company networks are lost or stolen. Without proper security, it won't matter if the device was issued by the company or is a personal device. Unauthorized use with criminal intent can lead to breaches of security, including theft of sensitive company data.

Passwords and data encryption are widely recommended. So is the ability to remotely wipe data from smartphones and tablets issued by the company. But maintaining a remote fail-safe system is trickier when dealing with employees' devices, which store their own apps, photos and other information.

The first thing companies should do is figure out what devices employees are using that already have access to corporate data, then decide which employees and devices the company will support going forward.

Some organizations allow access only through devices they provide. That's the way it works at Littler Mendelson PC, a San Francisco law firm, where only company-provided devices can access corporate email or data.

Network engineer Charles Chang says this "eliminates the gray area" of what the company can control on the devices. The company can apply its own security standards across each platform, regardless of the operating system. And any pushback from employees usually wanes when they realize they can get a new iPhone or BlackBerry with the data and voice plans paid for.

Still, an increasing number of companies are allowing employees to use their own smartphones and tablets for work purposes. This may initially lower costs for the company and make employees happier. But it opens the network up to breaches and forces companies to figure out how to monitor and secure devices that they don't own.

Pfizer Inc., the pharmaceutical giant, requires employees to register the personal devices they want to use for work and to install software that gives Pfizer some control, including the ability to wipe all company data off the devices. A Pfizer spokesman says about 10% of the 40,000 devices supported by the company are employee-owned.

"The key thing we want to achieve is application of our policies to whatever devices connect to our network," says Brian Cincera, Pfizer senior director of security, identity and messaging. "Whether that's a laptop or an iPhone or a BlackBerry is almost immaterial."

Data and Apps

Corporate software programs make it easy for IT staff to monitor and upgrade phone and Web operating systems on mobile devices.

Some programs allow them to block downloads of certain apps and programs, while others separate corporate information from employees' private content on their devices. That way a company can control and secure its information, or erase it remotely, without disturbing an employee's personal data.

HeartSmartKids LLC, a Boulder, Colo.-based company that promotes early detection of heart issues among children, gives iPads to partner health clinics where patients answer questions about their health on the tablets. The data collected on the tablets are used to offer guidelines for the families.

HeartSmartKids puts software on the tablets that gives the clinics the option of preventing users from accessing the Internet, downloading games or basically doing anything with the device other than what each clinic has approved. The software can also track where the device is, if someone takes it out of the clinic, and lock it down completely, making it useless.

Using the software, Heart-SmartKids can apply the same standards and policies to all of the devices, or tailor features and functionality to what each clinic requires. "The device only does what we want it to," says Kevin Gilbert, chief executive of HeartSmartKids.

One thing many companies don't want mobile devices to do is store sensitive data. To that end, many organizations use virtual-desktop applications like Citrix Systems Inc.'s Receiver, which allows users to access the data they need but prevents them from saving anything to the mobile device itself.

The Network

To protect the company network itself, experts advise such traditional defenses as firewalls, encryption of data and passwords--the longer the better. These are basics every company should enforce, no matter what else it does for security.

Extra layers for mobile devices include software that assesses risks to the network posed by certain actions and occurrences.

Such programs look at where a mobile phone is, what its user is doing with the device and whether those factors are considered normal. If someone in Russia is trying to connect to the network using a mobile device at 3 a.m., for example, access could be denied.

Hamilton Health Sciences, a group of hospitals in Ontario, Canada, provides mobile access through a "guest" network that it operates in addition to its regular network.

The guest network accommodates mobile devices not owned by the company, like those of many of its 1,200 independent doctors. The doctors and other employees get access to the Internet and to a virtual desktop, through which they can access patient data but not save it on their device.

Employees using hospital-provided devices, meanwhile, can connect directly to the core network, where sensitive data like patient records are stored. But they have to go through a separate access-control system.

People can use their own mobile devices to get to what they need without being on the core network, says Chief Information Officer Mark A. Farrow.

"We're not concerned about viruses because they're tunneled into one area [the guest network] and are not actually interacting with the [core] network," says Mr. Farrow. "Because of that, we've been encouraging the bring-your-own-device mentality."

Ms. Tibken is a reporter for Dow Jones Newswires in New York. She can be reached at shara.tibken@dowjones.com.