If you're CIO at a large enterprise -- or a small one, for that matter -- chances are good that you're seeing a steady rise in the number of employees using smartphones and tablets at work.
The upside of this trend is that people might be more productive if they're using mobile devices they're comfortable with to access corporate data, collaborate with colleagues and communicate with customers. But increased mobility comes with risks.
Smart IT executives are mapping out strategies for managing their organizations' mobile risks and benefits. More than half (52%) of the 334 IT executives who responded to Computerworld's 2013 Forecast survey said they're ramping up mobile risk management efforts, and more than one-third (38%) said they're seeking help from outside providers.
Yet the results also show that many organizations haven't yet adopted a formal mobile device management strategy. Only 46% of the respondents said they have such a plan in place.
Those companies that have launched mobile strategies are getting a handle on the risks. Chicopee Savings Bank in Chicopee, Mass., with seven branches in western Massachusetts, began deploying Windows smartphones about five years ago and has since moved to Android devices.
"We initially deployed these devices to meet the business need of keeping corporate email, contacts and calendaring continually available to a small subset of our executive, sales and support employees -- whether they were in or out of the office," says Darlene Libiszewski, senior vice president of IT.
The bank launched an assessment to identify the risks and benefits of mobile devices. "A formal risk management discipline has always driven where we invest our resources," Libiszewski says.
Confidential information residing on mobile devices was among the security risks. "To minimize the risk effectively, we realized we needed to own the device to implement and manage the controls," she says.
But to minimize the cost of deploying smartphones, the bank is now considering adopting a bring-your-own-device (BYOD) program.
Managing risk is an ongoing process, Libiszewski says. "But I would say that more risk management focus has been placed in the mobile space because it is developing so rapidly and customer adoption is huge -- and face it, this space is the new frontier to be exploited," she adds.
Technology Plays Enforcer
Technology plays a huge role in helping IT manage devices and maintain security. Georgetown Hospital System, a healthcare provider in Georgetown, S.C., relies heavily on systems such as BlackBerry Enterprise Server, Microsoft Exchange Server and mobile device management technology from AirWatch to safeguard mobile devices such as Apple iPads and iPhones, Android smartphones and RIM BlackBerries.
"The phones are primarily used for email and calendar access, and they're used by senior administration, managers and approved employees [who] either travel or work on-call schedules," says CIO Frank Scafidi. Tablets are used mainly by managers and senior administrators, and increasingly by doctors, to access applications.
The AirWatch product, which Georgetown deployed in 2010, enables IT to place restrictions on devices, enforce security policies, remotely secure and wipe devices, and monitor usage, Scafidi says. The organization plans to move BlackBerry users to the AirWatch environment and decommission the BlackBerry server to maintain a unified mobile management environment, Scafidi says.
In addition to deploying security technologies, companies are developing policies on appropriate use of mobile devices. HomeTown Bank in Roanoke, Va., four years ago implemented a customer information security and acceptable use policy that outlines the bank's mobile device strategy. The bank is required by law to have employees review and accept the policy annually, says Michael Wright, vice president and director of IT.
The policy "is designed to educate bank employees on customer information and security awareness," Wright says. "It's kind of a living document" that evolves as mobile technology changes. It also requires that users implement features such as locking mechanisms and encryption for certain types of sensitive information.
Users of devices such as iPads must agree to let the bank remotely reset and wipe data on devices if necessary. Only individuals in the company who require access to corporate email to do their jobs have access to the network via mobile devices, Wright says. All devices that have access to corporate email must have a locking mechanism so that repeated failed attempts to guess a PIN will wipe the device.
Looking ahead to 2013, IT executives will continue efforts to use available tools and services to reduce the risk from mobile devices.
"I anticipate BYOD being an area of focus in 2013, and therefore I may seek help with anything from writing the policy to evaluating and implementing solutions for mobile device firewalls, [antivirus tools] and management software," says Libiszewski.
HomeTown Bank plans to use a software-as-a-service mobile device management tool to ensure that devices are being used properly. The software will let the bank define PIN requirements, remove an application from a device remotely or perform a full data wipe if needed, says Wright.
The bank will also conduct annual refresher training on the minimum requirements for device security and regulatory compliance for employees with devices that access corporate email. In addition, it will provide ongoing education on social engineering techniques, malware avoidance and acceptable use.
Organizations in the coming year will be looking for more management tools to help ensure document security and network security without infringing on employees' privacy or asking them to change their normal patterns of using devices, says Vishal Jain, a mobile services analyst at 451 Research.
"We think mobile security, app management, intelligence and threat detection will be in demand," Jain says.
The risks associated with mobility will only increase as more people bring their own devices to work and threats become more sophisticated. "The biggest threat that enterprises face is the loss or theft of devices containing enterprise data," he says.
It's vital to have a formal mobile risk strategy and include that as a part of information security guidelines, says Jain, noting that "employees are already bringing devices to [the] workplace," essentially creating "unmanaged BYOD programs."