Few Australian organisations are considering sophisticated security measures.
This is despite more than half of Australian businesses in Unisys’2012 Australian Consumerisation of IT research being concerned about employees accessing business data via a smartphone or tablet in the workplace.
Unisys Asia Pacific security program director, John Kendall, attributes this concern to mobility extending the end points of access into the corporate network, beyond office walls and the network firewall.
“IT decision makers have consistently cited security as a key issue for a mobile workforce, regardless of whether the devices used are company supplied or owned by the employee, over the last three years that we have run the research,” he said.
Kendall says the risks are both accidental, such devices being lost or used by friends or family, and malicious, such as devices being stolen or malware on mobile apps.
“Organisations see that mobility in the workplace is inevitable and now they are taking action to minimise the risk,” he said.
However, Kendall admits that effective security requires more than managing access to the device and the applications on the device.
For one, it also requires a combination IT, HR, and legal security policies that are enforced, as well as employee education.
“Employees need to know what the risks, how to avoid them and the consequences of not doing so,” Kendall said.
Ignoring the threat
While 56 per cent of Australian organisations identified security as a continued concern, the report found that only 18 per cent of respondents are considering token-based authentication and 15 percent are looking at biometric-based authentication.
Even though 90 percent of local organisations are saying they have a security policy in place, Kendall says it is worrying that a third of employees are not aware of their company’s security policies.
“These people could unintentionally put sensitive data at risk by not taking the appropriate security precautions to protect the data on their mobile device,” he said.
For Kendall, it appears that many organisations are under the impression they are “protected by simply creating a security policy that covers mobile devices.”
“However, it’s of no use if employees don’t know about or understand it,” he said.
With six percent of Australian employees in the survey saying they ignore or work around security policies, Kendall said it is important that they understand "why the polices are in place and what the consequences are from not adhering to them."
Time to change
As for what needs to change in order for security measures at businesses to improve, Kendall says the problem can be traced to passwords.
“Passwords have been traditionally used in IT to secure access to devices and applications within the workplace, so it makes sense that they have been the first step taken to secure mobile devices,” he said.
However, Kendall says the risk of a data breach via compromised passwords is higher in a mobile environment.
“Mobile devices can be easily lost or stolen, so it is surprising that organisations aren’t taking a more aggressive approach to securing the devices and the data on them,” he said.
To protect sensitive assets, the recommendation is to adopt multifactor authentication, where the employee is identified not only by “what they know” (such as a PIN or password), but also by “something they have” (a token key) or “who they are” (a biometric such as a fingerprint or face scan).
“In addition, organisations should look beyond the device at ways to secure the data itself, such as via encryption, so that even if the wrong people get access to the data, they can’t read it,” Kendall said.
He adds that a business needs to protect against both internal and external threats, no matter if it is accidental or intentional.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.