5 questions to ask about tablet security

Employees are dying to use them. But are tablets too risky for the enterprise? Experts ponder some of the larger questions about tablet security.

A poll conducted late in 2010 by ChangeWave Research found the number of organizations giving employees tablets for work would double in the coming twelve months. The research found 14 percent of businesses polled expected to buy tablets for employees in the first quarter of 2011, up from 7 percent of companies who supplied staff with tablets in the last quarter of 2010.

But while most organizations are not rushing to adopt tablets in their IT department, many end-user employees are in a hurry to start using them — on their own — with or without company support.

That has security managers scratching their heads as to whether tablets change their risk profile. The answer will differ from company to company, but here are five questions to ask as you consider your tablet policy.

Can we/should we support tablets?

This is a question many organizations have been struggling with for a few years when it comes to the plethora of mobile devices that users want to now bring to work. Tablets up the ante, said Denise Lund, a senior analyst with Yankee Group's Enterprise Research team.

"The most over-arching challenge enterprises have is whether to embrace the consumerization that spills into allowing all of the tablets into an organization."

Data compiled by Yankee Group finds about one-fifth of companies still will not tolerate any consumer applications or devices in the organization. But another 17 percent are both allowing and supporting what Lund called "non-harmful consumer applications and devices" and have deployed managed-mobility solutions to do it securely. However, among this set, there's a strong sentiment that security is the top technological obstacle to supporting mobile workers.

"48 percent of enterprises say security is one of the top two obstacles in supporting their mobile workers," she said. "That ranks above expense management; it's almost two-times the percent of people who say expense management is their top obstacle. That's pretty significant, I would say, because we know expense management is a very big priority."

However, the largest percentage of organizations included in the data are allowing consumer devices, but not supporting them, which poses an even bigger risk, said Lund.

"About 60 percent that are somewhere in the middle," she explained. "They don't encourage people to bring their devices or use their own applications at work, but they don't actively monitor it and that's where you expect to get some problems."

What are the risks posed by tablets and other consumer-oriented mobile devices?

Whether you are allowing and supporting consumer devices, like tablets, or allowing them and then burying your head in the sand about how they are being used, there are obviously several risks to consider. But is there anything about tablets that make them any more risky than the average laptop?

"I think you get more people accessing the network outside of your walls," noted Lund. "And the kind of media capabilities tablets have are so much more richer than the average laptop. The experience on the part of the end user can cause them to mix work and play much more, even if it is a work device. So, you're getting into downloaded video streams, applications in various social networks, and games, much more."

What does that mean for the organization? It means their employee-users are opening themselves up to exploits more than ever, and there is a greater chance for data loss or network infection. Of those companies polled by Yankee Group who said security was their greatest obstacle in securing mobile employees, 60 percent cited potential loss of data or other intellectual property as a major concern. An equal percentage said providing secure access to the internal network for mobile employees was a security issue. And 40 percent said controlling malware spread for mobile employees was a top worry. While security concerns remain largely the same as they have been in the past, the use of tablets and other consumer-oriented mobile devices mean they multiply.

Can we accept the risks? 

Should you accept the risks that come with allowing consumer devices, like tablets? John Petrie, Vice President and Chief Information Security Officer Harland Clarke Holdings Corp., believes organizations have little choice today.

"It's so pervasive now; tablets, Facebook, all of these kinds of newer technologies. And if you aren't using these within your corporation, you're not getting the best and brightest anymore. They don't want be there. They communicate differently. Security has to adapt now and there are changes that have to happen. I think you see some real focus and a change in the way security provides protection. I think that's a challenge."

Petrie believes the perimeter as security once knew it is disintegrated and controls now need to be moved in order for business to function in today's mobile world.

Do we trust the user?

"I think the corporations and their executive leadership are going to have to accept more risk and be more dependent upon their people," said Petrie. "At the same time you still have this additional risk you're assuming. You are saying we're going to trust our employees a little more."

What will make this new approach work, said Petrie, is the stick that goes with the carrot of being allowed to use tablets and other consumer mobile devices. Policies need to be in place and employees should be expected to follow those policies, with a clear understanding that action will be taken if they don't. But at the same time, Petrie believes allowing consumerization within an organization also empowers people, and can be used as a leadership strategy.

"At the end of the day the finance guys are looking at cost savings, they don't have to invest in certain infrastructure anymore. It used to be the cost of hiring an employee was the salary and benefits and outfitting the person with technology. Now you're not necessarily making an investment if they want to use their own stuff. You're allowing personal liability to take affect, you're going to assume that risk."

How should we use certain new kinds of information now available to us through tablets and other mobile devices?

Lawrence Pingree, a research director with Gartner, points to companies who are allowing consumer mobile devices and using mobile device management (MDM) solutions to support them, as facing an additional conundrum. That's because one feature many MDM solutions include is the ability to collect information about deployed devices, such as geo-location information. This can be both and asset and a liability.

"You have corporations which now can know where employees are at and what they're doing. That's kind of freakish and weird. So, there is a privacy aspect there and I think where most corporations are going to say "What do we do here?"

Pingree said on the one hand, geolocation information can be useful for time management purposes. But having access to that information also poses a liability question for the organization. If they have the data, can they release it? How can it be used?

"How are they liable to an end-user that has accepted this kind of monitoring?" said Pingree "That's a question a lot of organizations using this technology will have to ask."

Copyright © 2011 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)