Mobile email opens hole in corporate security

13 Jun 2005

Firms that deploy mobile email devices to a small number of workers rather than holistically across the organisation are opening their company to bigger security risks, a senior Gartner analyst told

Monica Basso, a principal analyst at Gartner based in Milan, was in Dublin last week as a speaker at the Gartner Mid-Size Enterprise Summit, which was attended by 140 chief information officers (CIOs) from across Ireland and the UK.

In an interview with Basso said there were two serious problems being overlooked by companies that deployed mobile email devices to a select number of employees in their organisations.

Firstly, because devices such as the BlackBerry are being deployed on a hierarchical basis to senior managers rather than across the entire organisation a small layer of the corporate firewall is being opened to allow these executives to send and receive emails while on the road. As a result this risk is being overlooked by the IT department whereas if the mobile solution was part of a broader remit the risk would be addressed.

According to Basso: “If you are opening a part of the firewall in order to access services, that is increased the level of risk. There are solutions for security threats and CIOs need to underline the security risk and put in place a solution that is appropriate across the entire organisation. It’s about having the wrong attitude. In organisations that only a small group are using a device such as the BlackBerry, a hierarchy thing, these guys are using something that takes email from a corporate account and pushes it onto a public account on a niche device. That is really dangerous because you have data that was encrypted and protected that’s just going out and being published on the net.”

Secondly, in terms of the deployment of mobile email devices across the enterprise, Basso said the relationship and management of the contracts are often in the hands of the finance department or sometimes the individual executives and not the IT department. In a nutshell, she said, these devices are being treated similar to traditional mobile phones rather than intelligent devices that carry security risks.

“It is easy to see the benefits of these devices through increased productivity. However, organisations do not realise that these devices are more like a PC than a mobile phone and should be managed by an IT department, not the company accountant. Mobile phone contracts should be an extension of IT also because of their increasing complexity. These devices are still treated as mobile phones.”

Basso continued: “Chief executives that are trying to avoid security risks are in fact opening the door to even bigger risks. They cannot avoid mobile use in the enterprise. However, they can avoid the bigger risks if they deploy a corporate-wide solution to manage any security threat. It is true that by using these devices you are potentially opening security holes. However, if you deploy the same wireless communication standard across the whole enterprise you may reduce the risk.”

Basso also pointed to another major threat brought about by the advent of Wi-Fi whereby employees are plugging in wireless routers into corporate access points for their own personal usage. However, no matter how innocent their intentions, employees are in turn opening a secure private network to being potentially hacked from a snooper in a car parked a few meters outside the building. “Businesses should be aware of these trends and create a corporate culture that encourages employees to avoid doing things that put the company at risk.”

By John Kennedy