The invasion of mobile devices: how do you secure medical data?

By Dan Wolff

The consumerization of IT is all about productivity. That’s the finding from a recent survey of organizations that currently allow or plan to allow employees to use personal IT devices and consumer-driven software on the enterprise network. But the increased productivity is not without cost. More than half of the survey respondents also agreed that consumerization of IT increases security concerns, and nearly half (45 percent) feel that managing consumer-owned devices and related technologies within the enterprise network is “critical.”

“It’s common for employees with mobile devices to mix multiple applications on the same device, such as Facebook, business applications, and personal finance and banking. This creates increased challenges for securing data on these device.”
-Dan Wolff, Group Manager for Endpoint Products at McAfee

According to this survey of IT decision-makers, administrators, consultants, and security analysts, the key drivers of consumerization of IT are increased employee productivity (58 percent) and greater flexibility and turnaround time (52 percent). Like the companies they work for, employees are striving to become as productive as possible. To achieve that goal, they've turned to the world of consumer electronics, smartphones, personal laptops, and newly minted mobile devices like the Apple iPad. If employees feel they can do work faster and easier using their own technology, they won't hesitate.

But giving employees unfettered access to valuable company data on whatever device they happen to prefer is a risky proposition. The fact that these devices are mobile also means they're easily lost or stolen, and the data they contain is more vulnerable to theft or accidental loss. Which means that the data they contain is more vulnerable to theft or accidental loss. Access to company data on an employee's laptop, mobile phone, or other personal device can also create compliance issues by making it difficult or impossible to verify that data is secure at all times. Finally, because consumer devices are not adequately protected against malware, enabling access through these unsecured devices can open a gaping hole in the company's otherwise secure firewall. These risks have led many organizations to firmly resist consumerization by restricting the introduction of personal devices or consumer electronics into the workplace and attempting to lock down data.

But it doesn't have to be an all-or-nothing proposition. It is possible to balance access with protection, to allow employees (under the right conditions) to use a variety of tools to gain the productivity they seek while maintaining security for the company's data and systems. Not only will you benefit from your employees' productivity, but you can actually save money in other ways that you may not have considered.

The first step is to recognize that this trend, the consumerization of IT, is here to stay. The number of mobile workers worldwide is expected to reach nearly 1.2 billion by 2011 (source: IDC). During the course of a day, today's employees use four consumer devices and multiple thirdparty consumer applications, such as Facebook, Twitter, and other social networking sites-and they use them interchangeably for business and personal activities.

Level of Criticality in Managing Consumer Devices

In a recent survey of 233 IT decision-makers, 45 percent of the respondents said that managing consumer-owned devices and related technologies within the enterprise network is "critical."

The result is that the boundaries of a company's information network are not as clearly defined as in the past. It used to be that a company's information network ended at its firewall, and its valuable data remained relatively secure within that network. But today, data is no longer contained within the walls of your business and the network ends with the user and the user's device (mobile phone, laptop, and home computer). In this environment, security is far more complex than in the past.

So, how do you handle this situation? What steps can you take to prepare for the consumerization of IT? Here are some strategies we at McAfee recommend:

1.     Enforce remote encryption and wiping of information on all mobile devices to protect data in case the device is lost or stolen.

2.     Deploy host and network anti-malware to reduce infections.

3.     Deploy a firewall and network intrusion prevention system (IPS) to control traffic to and from all assets.

4.     Require VPNs for secure connections to corporate networks from remote, employee owned computers.

5.     Use network access control (NAC) to ensure employee-owned devices have proper security tools installed and are otherwise compliant with IT standards prior to accessing the network. NAC can control guest devices and other unmanaged endpoints and ensure they have limited ability to access resources or infect your network.

6.     Consider virtualized desktops (VDI), where employees can access company applications and data on personal devices, but the application infrastructure and data remain on corporate servers behind the firewall.

7.      Implement encryption for information at rest and in motion. If a remote device falls into the wrong hands or a transmission is intercepted, encrypted information is unusable.

8.     Deploy integrated endpoint security with a centralized management console to ease the effort required by security administrators and enable them to easily manage all endpoints in the system. An integrated, centralized strategy is more efficient, more effective, and ultimately less expensive than deploying a series of point solutions.

If you follow these recommendations and deploy a comprehensive endpoint security solution, you'll find it's not only possible to support the consumerization of IT with adequate and effective security, but that doing so yields some nice benefits for the company. Increased productivity is the obvious one. A less apparent benefit is the ability to reduce IT costs by allowing employees to use devices they've purchased themselves. The greater mobility of the workforce and the ability of employees to work from home can also lighten other expenses, such as office costs. Over time these savings can be significant-and when combined with greater productivity, they can make your organization more nimble and competitive.

Biography

Dan Wolff is Group Manager for Endpoint Products at McAfee, the world's largest dedicated security technology company. McAfee delivers solutions and services that help secure systems, networks, and mobile devices around the world, allowing users to safely connect to the Internet, browse, and shop the Web more securely.