Self-inflicted security breaches

U.S. Secretary of State Hillary Rodham Clinton checks her mobile phone after her address to the Security Council at United Nations headquarters, Monday, March 12, 2012. (AP Photo/Richard Drew)

The worst security breaches are often self-inflicted.

Hillary Clinton used her personal email to perform some of her government duties as US Secretary of State. This was a self-inflicted breach of security at the highest levels of the US government. Of course there was an outcry, but there were also large numbers of people who could relate perfectly to what she did. What’s more, evidence suggests that these numbers are growing, spurred on in part by mobility.

One anonymous source has been widely reported saying the reason Hillary Clinton did it was because her government email system “sucked”. (Of course, other more conspiratorial theories abound too.)

Beyond email, the continued growth of services like DropBox and Box point to substantial use of private accounts for business-related purposes.

Mobile working complicates things

The big change beneath all this is the expansion of the mobile workforce, with more people in more jobs choosing (or being compelled) to work from multiple locations at all sorts of times, often on an ad hoc or request-driven basis. In these circumstances, things just need to work. If they don’t, then expect the remote worker to get creative and figure out alternate ways to get that message through, do that update, share that information, or change that entry.

Today, smartphones have complicated this picture further.

Apple reports that over 30% of iPhone users have multiple email accounts configured on their phones. Most likely, these would be a work email and a private email. If you’re on the road and your work email jams up, it’s very easy to just toggle the “send from” field to your private account and send it anyway. 99% of the time, no-one may care. But the principle is not a good one.

Like it is for email, so it also goes for other actions. Where the company method (or server, or page, or app) isn’t performing or isn’t accessible, people will make their own arrangements. In the world of freemium and free, this means using whatever other services you can find (personal apps, free public services, etc.).

Secure the device, secure the data, secure the network

There are three key dimensions to IT security: secure the device, secure the data, secure the network.

Smartphones are now ubiquitous in developed economies. They are deeply personal devices, emotionally less like work instruments and more like jewelry. Whether a phone is employer-issued or employee-owned, research shows that the mobile worker with a data task is now more likely to use a smartphone than to use traditional IT (desktops, laptops, etc.).

This is a very different problem than sending diplomatic traffic over a home-baked email account. Not only is unsecured data involved, but now unsecured hardware is involved too. And the network? Even if the cell network is secure, what about all those unsecure WiFi networks that your employees’ smartphones are connecting to (hotels, airports, etc.)?

IT security experts have many solutions to all of these challenges. However, the trick is to achieve adequate security (not too little, not too much) without reducing efficiency.

Efficient security for the mobile enterprise

Inevitably, this will involve the organisation taking some level of control of the mobile device. This is most commonly done with a combination of MDM and containerisation, but this is just the start.

A strong process and system for delivering and managing applications into the enterprise’s mobile fleet is equally critical. This not only enhances security, but can actually _improve_ efficiency in the field, through standard interfaces to back-end systems and faster deployment of the most appropriate apps and updates.

And don’t forget the third important pillar of the security trio: the network. A Network Access Controller (NAC) is the weapon of choice in this area, giving the enterprise clear and flexible control over which mobile devices can access the corporate networks and how. (You can read more about how MDM and NAC work together here.)

Efficiency is everything

Managing security in the mobile world is not easy. But one thing is certain: if your security gets in the way of your mobile workforce, they will simply find ways to work around it whether you like it or not, and that’s likely to be completely out of your control.