The march toward mobility at Scotiabank is pretty typical: first laptops to enable alternative work arrangements for employees, now smartphones and tablets to give workers anywhere access to information.
The Toronto-based bank, with 83,000 employees worldwide, deployed company-owned BlackBerries several years ago to personnel who require them to do their jobs more effectively, and has since asked select staffers and IT support people to pilot other smartphone brands as well.
The approach to securing those mobile devices is typical, too. The bank uses BlackBerry Enterprise Service mobile device management (MDM) software. It also requires employees to sign statements saying that they agree to let IT erase data from devices that are lost or stolen, and to take control of devices if there's a legal investigation, says Greg Thompson, vice president of enterprise security services and deputy chief information security officer at Scotiabank.
Perhaps it's not surprising then that 53% reported that there is sensitive customer information on mobile devices (up from 47% the previous year) and 94% indicated that lost or stolen customer information is a grave concern in a mobile security incident.
Such findings don't surprise Joe McCray, founder and CEO of Strategic Security, an IT security consultancy in Washington, and lead security instructor and course author for TrainACE, a provider of online and classroom-based IT training.
Many organizations haven't focused on mobile security as much as they should, because "most people have so many other irons in the fire," says McCray. And some just haven't allocated the money needed to create a secure environment, especially if they're adopting BYOD policies to try to save money.
Like the attacks on PCs, attacks on mobile devices come from both lone hackers and criminal syndicates.
And while some organizations, such as the federal government and financial institutions, are regular targets, no one is safe from mobile attacks.
"Everyone's getting hacked," says R "Ray" Wang, an analyst at Constellation Research. "And because the platforms are so wide and different, it's a security nightmare. You have to secure the network, the operating system those devices are on, and whatever pieces of content you're putting on top of it. So security, it's [about the] device, the content on the system, the operating system and the network. Those are the four layers you have to worry about as an organization."
Additionally, analysts say MAM software enables IT departments to give different degrees of access to different categories of employees.
Not surprisingly, the features available in MAM offerings vary from vendor to vendor, but analysts point out that MAM systems generally work both in BYOD environments and in settings where all devices are company-issued.
Another security option, which can be part of an MAM platform, is containerization. As the name suggests, this approach involves setting up an encrypted "container" on mobile devices to hold business applications and the data they use. Access to the container requires secure authentication. With containerization, business software and data are kept separate from the personal apps, which makes it possible for IT administrators to wipe business data without deleting the user's personal stuff.
Whatever the trade-offs, organizations must find tools that will keep their systems and data secure while allowing users to do their jobs. It's the same balancing act they faced when first securing desktops and laptops, says Debbie Christofferson, an information security analyst at a Fortune 1000 company who also serves on the board of directors of the Information Systems Security Association.
"Enterprises need to have their own app stores or limit what people can download, because they'll download [what they want] if it's convenient," she says.
Given that perpetual tug of war between security and convenience, Christofferson gives the same advice that has ruled security for desktops, laptops and other IT systems: "Automate as much as you can."