Smart Devices Outsmarting CIOs: Time To Turn The Tables

Standard Chartered Bank’s Relationship Managers can approve or reject credit deviation and limit excesses on their iPhones; HUL’s Sales staff , in a pilot project, have been equipped with Samsung Galaxy tabs to track and report back which products are selling faster; Manipal Health Enterprises is planning to deploy tablets at every nursing station and also tag patients with RFID to ensure real time and seamless data transfer between the patient and the doctor.

These are just a few of the examples of the emerging scenario with the growing proliferation of consumer devices within the enterprise. While gradually letting go of their hesitations, these forward looking enterprises are now learning how to live with the new set of security loopholes that the enterprise usage of these devices expose them to, and CIOs figuring out that balance between the new technology demands and the resultant security paradigm. And, as they move up this learning curve, the enterprises are well on their way to figuring out how to outsmart these smart devices.

Enterprise Mobility Comes Calling

A recent report by Springboard Research highlights that India’s mobile workforce will grow 53% over next 4 years to reach 205 million by 2015, out of which as many as 65% will be equipped with smart mobile devices. According to Heminder Singh Ahluwalia, Executive Partner, Gartner, the biggest trend that will impact the Indian region is enterprise mobility . Enterprises are no longer hesitant to adopt consumer devices for enterprise usage, and this trend is surely here to stay. No longer are smart devices about friends and family; they are also about companies and customers.

Opening Doors To Vulnerability

Smart gadgets, however, are not invincible, and do have a flip side to them - security implications for the data being exchanged to and from these devices. The primary concern is exchange of data on wireless networks. According to Ved Prakash Nirbhya, CIO- Tech Mahindra , the use of wireless networks for data access is risky as they are not secured to the extent other modes are. “As smart devices become more ubiquitous, attackers are making them targets, both as a means to access the data stored in it and as a direction for gaining access to the business network or introducing malware onto it,” explains Shantanu Ghosh, VP, India Product Operations, Symantec. The scope of the security issues grows multi-fold when these personal devices are brought into the enterprise realm. Overall, as Doug Mow, Senior VP- Marketing, Virtusa Corporation points out, security concerns would encompass Physical, IT and Intellectual Property.

IT leaders agree to these security concerns, as the findings of the ISACA survey show . As per the survey, more than 90 percent of Indian IT leaders believe that mobile devices, whether employer-provided or personal, pose a risk to enterprises. More than 50 percent of respondents in India recognise this risk from mobile devices, and say that their enterprises have policies and systems in place to mitigate the risk arising out of mobile devices.

Smartening Up To Outsmart

Opening themselves to vulnerability, the enterprises are actively stepping up efforts to not only keep pace with the emerging threats, but to stay a step ahead. The right and effective security strategy forms the fulcrum of these efforts. And, there might be no ‘one size fits all’ strategy, as the security strategy would have to fit the mobility architecture of the respective enterprise.

But, there are some standard procedures and processes relevant for enterprises in general in addition to the specialised requirements and nuances. ISACA survey highlights some of the security measures undertaken by enterprises, including controlling application installations, remote-wipe capabilities, encryptions and password requirements, to name a few. In fact, the survey indicates that 56 percent of respondents say that their enterprises do not allow installation of applications on mobile devices used for work activities. Mobile devices, in this case, include smart phones, flash drives, notepads, tablets and broadband cards.

Learning By Example

Here are some on-ground examples to learn from. The Mudra group is underway to host ‘Mudra World’ , the ad agency’s very own enterprise mobility initiative. ‘Mudra World’ will enable employees having any smart device to connect to a central server and still be on the job without being physically in the office. The central server has been termed as a ‘Virtual Office’. The principle here is that data doesn’t get downloaded onto the smart device from the server, it’s only accessed via an information exchange session. The central server would host pre-defined business applications to be accessed by the employees. As soon as they log on, the required applications would automatically get provisioned onto their devices and off they go.

“When data is hosted onto a single machine, security management becomes easy because it would be guarded with all the necessary security applications like anti-virus, DLP, etc. It also makes the security updates process very convenient,” explains Sebastian Parayil Joseph, President – Technology & FM, Mudra Group.

Going back to StanChart’s iPhone adoption, the bank has secured the platform using all the security features provided by Apple, including all device policies, restrictions and the latest hardware encryption methods to provide a layered approach to information security on every device. Digital certificates are required on every bank-issued iPhone. Further, there are multi-layered procedures in place to protect access and systems should an iPhone go missing for any reason. “The layered approach has worked well for us, and we don’t just rely on any one authentication or encryption method. Also, different regulations in different markets apply to us, so we always take the highest common denominator on security grounds,” explains Todd Schofield, Global Head, Enterprise Mobility, Standard Chartered Bank.

In order to have a comprehensive data protection regime, companies can also go for a multi pronged approach, something which is followed by most of the IT companies, as Nirbhya points out.

Some of the standard practices followed by companies under the multi-pronged approach include, blocking the USB ports connecting the PCs and laptops with smart devices, as well as other devices that act as a medium for data transfer. Wireless access should be password protected and there are smart firewalls to ensure authorised access of data.

While the number of controls can be innumerable the need to connect is still imperative. Companies are fulfilling this by opening access to social networking sites and other sources of information on all kinds of devices including smart mobile gadgets during a limited window of time during or after work hours.
The other way, typically known as ‘self-policing’, has been a regular in many companies including Tech Mahindra. Herein, the entire team is deprived of a particular service if a member of the team has broken the set rules, which apply to the mobile devices as well. These strict regulations should be backed by tailored awareness campaigns, mentoring employees to operate by the rule book and, getting them to understand why it is important and how it results in better information security. These practices have proven to be reasonably effective for CIOs.

In this dynamic scenario, the key is not to be authoritarian and practice over-regulation because the restrictive approach usually results in employees managing work-arounds. CIOs, in order to ascertain that employees follow the set policies, should look out for innovative ways to generate awareness on the importance of the regulations in place. This becomes all the more significant in an enterprise mobility environment as the smart devices open up a whole new world of temptations. As CIOs try to precariously balance the demand for liberty and the need for restrictions, there is always that thin line that defines when its time to stop. And, the onus for recognising that will lie on the employees.