IT managers who provide mobile devices to their end users can be like parents who let their teenagers take their cars at night. You start to wonder what they're up to moments after they leave.
The security risks of mobility have been much discussed. After all, laptops, smart phones, handhelds and other mobile devices often carry confidential or even regulated information (see "Solving the compliance vs. mobile dilemma"), and these devices are easily lost or stolen.
However, a new risk to the enterprise is emerging: Employees who misuse their mobile devices. Increasingly, mobile workers are being tempted to download and watch movies and TV, listen to music, gamble, access pornography and do other things they shouldn't be doing on the company dime.
"The threat to organizations is very real," said Derek Kerton, principal of The Kerton Group, a telecommunications consulting firm. While the threat of abuse of mobile privileges is growing, it isn't entirely clear what to do about it, Kerton and other experts said.
How serious a threat?
Companies have long used tools that filter e-mail and limit Web access by deskbound employees. However, the misuse of mobile devices is just now emerging with new technology.
"Three years ago, we weren't having this conversation," said Michael Voellinger, vice president of wireless services at Telwares Communications LLC, another telecommunications consulting firm. "It's a very significant risk now because of how fast the [mobile] content base is growing and how fast device capabilities were growing."
Specifically, cellular operators have widely deployed 3G cellular data networks in the past two years that deliver typical download speeds of 500Kbit to 700Kbit/sec. The operators, anxious to both wring revenue out of those expensive networks and combat stagnant voice revenues, have launched multimedia services such as downloadable music, streaming video and even live television. Many new mobile devices are designed to be used with these services.
In addition, new media services not designed specifically for mobile users, such as Amazon.com Inc.'s new Unbox movie-download service, enable users to transfer movies from desktop PCs to mobile devices. And, of course, the purveyors of pornography and gambling are busily exploiting this trend.
The most often-discussed threat to the enterprise is loss of productivity. For instance, what if an employee is watching a movie when he should be working? Kerton noted that research he did with a South Korean cellular operator confirmed how much a peril this is.
"The company launched mobile video, and we did a survey on usage patterns," Kerton said. "The expectation was that there would be heavy usage during commuting hours and moderate use the rest of the time. But the heaviest usage was in the afternoon and evening. We surmised that use in the afternoon was people watching movies at work."
In addition to loss of productivity, there's a financial risk to enterprises.
"None of these services and devices are free," Voellinger said. The lack of productivity translates into dollars, he added.
"If an employee is doing something he shouldn't at 10:30 in the morning when he should be working, that equates to dollars at the end of the day."
Who's responsible?
Part of the problem has been created by companies themselves, said Jeff Stanton, an associate professor in the School of Information Studies at Syracuse University and author of a book about managing employee use of computers and mobile devices. That's because with the growth of mobile technology, many organizations expect employees to be available all the time.
"Just as there's a blurring of the lines between the office and the outside world, there's a blurring in the lines between home life and work life," Stanton said. "In some cases, companies have encouraged people to work at home and to be available no matter where they are, even on vacation. People don't see a boundary between the office and the rest of the world anymore. But while the boundaries are being erased, the technology for dealing with that hasn't kept up."
Voellinger agreed. "The [mobile] devices really are dual-purpose," he noted. "They're used for business but there's also a personal aspect to it, too. It's natural to use them to communicate both with, say, your office and with your spouse. So the very nature of the device lends itself to the problem."
In addition, the cellular operators and content providers are fostering the trend because they profit from services such as multimedia, the experts agreed.
"Carriers are not in a position to disable or limit this functionality because it would harm their margins, and margins are very high on these services," Voellinger said. And the content providers are even less motivated than the cellular operators.
"Porn is one of the drivers behind mobile video," Kerton said.
What's the fix?
When considering how to manage the problem of misuse of mobile devices and services, Kerton said it's useful to keep in mind that this problem is really only an updated version of older problems.
"We used to talk about the threat of people walking out with files on their mobile devices," Kerton noted. "Before that, the threat was that people would walk out of the office with papers in their briefcase. Now, people leave the office, and they watch ESPN on their phones when they should be working. This is an evolutionary problem, not a revolutionary one."
There is one difference, however. While there long have been products that filter e-mail for offensive material or prevent access by desk-bound employees to inappropriate Web content, such controls are not yet widely available for mobile devices. Some vendors believe such software will eventually arrive.
"Our business model is to work with [cellular] service providers to bring those technologies to their networks," said Tom Erskine, vice president of product strategy for software vendor Boston Communications Group Inc. Erskine's company creates software for cellular operators that the operators could, in turn, offer to companies to monitor and filter content on mobile devices.
Erskine acknowledged that so far, no major cellular operators have adopted his company's software -- or any software like it. But he said that, while cellular operators profit from services that can distract employees, it is in the operator's interest to also offer the ability to limit access to those services.
"There's a lot of company money being spent on things that companies have every right to not want to spend money on," Erskine said. "The operators are clamoring for enterprise customers, and this is one way to get them."
Another approach is server-based software managed directly by IT managers. However, while such software is starting to emerge, Erskine argued that approach works best with enterprises that have standardized on a single mobile platform, such as BlackBerry, Windows Mobile, Symbian or Palm. For instance, GPX Survey Ltd. offers Condor Mobile Service Manager, its server-based device management software. However, that software only works with BlackBerry Enterprise Server.
Even if filtering and monitoring software were widely available, Stanton said that his research found that such measures are unlikely to be entirely successful. At least that was the case with limitations placed on deskbound employees, he said.
"We did a survey and found that 60% to 65% of employees said that they'll go to almost any length to get around any limitations," Stanton said. "So it can't be a purely technical solution, since somebody will break it or get around it."
Acquisition and management
That leads to the need for a mobility plan with clear-cut usage guidelines. It also leads to inevitable changes in how companies acquire mobile devices and services.
Until recently, many organizations allowed employees to acquire their own cell phones and expense the cost back to the company. With the advent of mobile data and its inherent security risks, enterprises have been increasingly moving toward acquiring and centrally managing mobile devices. That's a healthy trend that will help organizations deal with misuse of those devices, Voellinger said.
"The question is who's responsible for the device," Voellinger said. "If I give employees a business tool, there's direct accountability. If an employee goes out and gets his own [device], that accountability isn't there."
The next step is to create policies and guidelines for use of the devices, the experts agreed. Voellinger stressed that while most organizations have long been concerned with mobile security, many have yet to get their heads around misuse of devices.
"A lot of organizations haven't gotten that far yet and don't have policies and guidelines," he said. "I can't name names, but I know of Fortune 50 or Fortune 70 companies out there with 10,000 devices out in the field and no policy."
These policies would specify what is considered appropriate and inappropriate use of a mobile device. In addition, there must be enforcement of the policy, Voellinger stressed.
"You can set limits, but unless you call somebody on it, there's a sense that people can get away with it."
Voellinger also acknowledged that until monitoring and filtering are widely available, organizations may need to resort to use of blue smoke and mirrors.
"With cellular, everybody's in the dark," he said. "The organization has very little information about what's going on [in the field], and the user has little idea what the enterprise can see. But if you say there's a regular audit of usage and expenses or both, that will drive behavior. It gives the impression that Big Brother is watching."
David Haskin is a freelance writer specializing in mobile and wireless issues.