Endpoint security: managing enterprise smartphone risk

Almost by the day, enterprises are becoming more receptive to the consumerisation of IT and introduction of mobile devices and platforms into their environment.

Introducing smartphones, netbooks or newer technologies such as the iPad and e-readers, can pose security issues to an organisation -- and to any customer or business included in the data held on the devices.

Threats such as Trojans and drive-by-downloads which attack and exploit unpatched vulnerabilities in software installed on an endpoint, rogue security applications, spyware, botnets, worms, viruses and phishing attempts are all threats that apply as much, if not more-so, to consumer devices as office-bound PCs.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Almost by the day, enterprises are becoming more receptive to the consumerisation of IT and introduction of mobile devices and platforms into their environment.

Introducing smartphones, netbooks or newer technologies such as the iPad and e-readers, can pose security issues to an organisation -- and to any customer or business included in the data held on the devices.

Threats such as Trojans and drive-by-downloads which attack and exploit unpatched vulnerabilities in software installed on an endpoint, rogue security applications, spyware, botnets, worms, viruses and phishing attempts are all threats that apply as much, if not more-so, to consumer devices as office-bound PCs.

And once commercial data makes its way onto an employee's device, which is often unmanaged, the enterprise can no longer control its spread or usage.

"Additionally, consumer platforms such as Mac and iPhone are becoming an increasingly attractive target to attackers due to their explosive growth -- the more there are out there, the more potentially unprotected endpoints there are to attack," regional product management manager APAC and Japan at Symantec, Josh Simmons, says.

IT managers must also bear in mind that while employee devices perform a dual role -- as a personal device and a company device -- the protection of any organisational data held on the devices is totally up to the company, says senior marketing manager for Websense, David Brophy.

"Organisations must not only bear the expense of fines and remediation if they suffer a data loss, they also risk the resulting loss of shareholder and customer confidence," he says. "This can have an adverse impact on reputation, brand, stock value, and even the potential for criminal prosecution against company executives.

"It doesn't matter whether breaches are accidental or deliberate; what matters is that the organisation is seen to have failed in its responsibility to care for personal and confidential information."

It's pretty clear that consumer IT in the enterprise is risky, but if banning or limiting devices isn't an option, what can you do?

To begin managing the risks of consumer IT, Gartner Research vice president, Leslie Fiering, suggests one of the first places to start is in reassessing security policies so that when an employee-owned device attaches to the enterprise network, the security policy's assumption should be that the device is "hostile until proved otherwise".

"The response must be a series of network access controls (NACs) that include strong authentication, and scan and block functionality, as well as network behaviour analysis," she says. "A variety of methods can be used to identify specific devices, their physical and virtual locations, and their usage history."

Such device 'fingerprinting' can help organisations determine whether a user is connecting from a managed company device, from a personal device that has been registered with the organisation's technical support group, or from a completely unknown system such as a kiosk in a coffee shop. Further tests can also determine the security posture of the device, and whether it has been recently scanned for malicious software.