Mobile data security spans policies, budgets and backups

As mobile devices proliferate, CIOs are re-examining a few thorny issues surrounding mobile data security: relaxing BlackBerry-only policies, budgeting for unknown smartphone costs and backing up a variety of endpoint devices.

It's increasingly clear that large organizations are approaching a tipping point in adopting mobile devices, according to The Enterprise Strategy Group Inc. (ESG), a research firm in Milford, Mass. Of the total number of endpoint devices in all organizations, there still are twice as many desktop PCs as laptop PCs. That ratio shifts, however, as the number of an organization's employees increases, according to ESG research: In large enterprises, nearly half (48%) of endpoint devices are something other than a desktop PC.

This new mobile paradigm -- propelled by advances in miniaturization, communications and applications -- requires new mobile data security strategies, experts say. One surprising development is the trend toward less stringent policies regarding the use of personal devices to connect with corporate data.

Open kimono but secured mobile data

"At first I was staunch about not having anything but BlackBerries, but over time, we've relaxed on that," said Mark Davenport, director of IT at Bosley Inc., a hair-replacement company based in Beverly Hills, Calif. "I have an iPad that I use and I like it -- it's good for what I do and how I operate."

It might not be surprising that the consumerization of technology -- another factor driving the influx of mobile devices -- hit one of the highest-consuming locales first, and led Davenport to welcome Droids, iPhones, BlackBerries, iPads and other smartphones into the fold. Employees in Bosley's 90 offices now can access a limited number of core applications with their favorite personal digital assistants."Whatever they're doing on their mobile device is their business, but they access [the company's] Outlook for email," he said.

At Schumacher Group, a Lafayette, La., supplier of medical informatics to physicians, CIO Doug Menefee also let go of a BlackBerry-only policy. "About nine months ago, we made the change from 'you have to use a BlackBerry' to 'if you want to use your personal device, we'll allow you to do that, provided the IT department is able to remotely wipe the device, if lost or stolen,'" he said. "One iPhone was stolen and we were able to remotely wipe the device using the BlackBerry Enterprise Server."

No mobile data security = lost revenue

According to ESG, data residing on endpoint devices (including desktop and laptop PCs) is often underprotected. Only 49% of organizations back up 100% of their PCs, and only 38% of organizations back up all their laptops. At the other end of the spectrum, 11% of respondents said fewer than 25% of their desktops are protected or they have no data protection process at all; of these organizations' laptops, 12% fall into the same category.

At first I was staunch about not having anything but BlackBerries, but over time, we've relaxed on that.

Mark Davenport, director of IT, Bosley Inc.

What's more dangerous than endpoint devices falling into the wrong hands is failing to back them up, according to ESG analyst Lauren Whitehouse. IT organizations are supporting more endpoints than ever, she said, and users are storing more information and files on the devices. Many organizations lack a consistent data-protection strategy, and that leaves them potentially vulnerable to the loss of business-critical data.

The threats caused by stolen devices pale in comparison, however, to the pain of controlling unknown smartphone costs and setting reasonable reimbursement practices, according to the Schumacher Group's Menefee. "We see a huge benefit for the [mobile device] services, but are finding it very difficult to control and manage costs," he said. "When do you say, 'Enough is enough'?"

Backup is mission-critical to mobile data security

"Endpoints are a place of vulnerability for a lot of organizations because for the most part, they are not backed up," ESG's Whitehouse said. When it comes to production servers, enterprises are "not concerned about missing a beat; the data center is protected. As you move to the edge, there are lower levels of protection that are applied, but the risk is just as great. With sales operations, for example, laptop productivity issues are just as critical, she said.

"If organizations are not seriously considering and having these conversations, they should be," Whitehouse said, adding that there are many different ways to protect endpoint devices. Someone within IT could manage it; what's critical is the backup, she said: "When you have data protection of endpoints, you've got a copy somewhere."

Remote and mobile users require nondisruptive and ongoing backup of data, even when they are not connected to the corporate network via a virtual private network, Whitehouse concluded in a recent report. The amount of data transferred and stored should be minimized through optimization techniques, and data in flight should be secured. The local backup should be automatically synchronized with a central, remote copy, she advised.

Let us know what you think about the story; email Laura Smith, Features Writer.