Kok Tin Gan, Partner, PwC and Felix Kan, Manager, PwC
We entered the age of mobility – in fact you may be reading this article on your favourite smartphone or tablet. Enterprise Mobility is not just a mega trend driven by the consumer that leads corporates to re-design how they should interact with their consumers; but also an opportunity for corporates to re-engineer their communication models with all different stakeholders in the business: from employees on the field to the senior management in the Board room.
Enterprise Mobility comes in different forms, such as Bring Your Own Device (BYOD), Software as a Service (SaaS), Infrastructure as a Service (IaaS) and other home office solutions. All these different terms or technologies share the same philosophy: to let us stay connected with the information (and knowledge) we need, from anywhere, at any time. This is an era not only we believe in Knowledge is Power, but also Speed is the Essence in the commercial context.
While we focus on what we have gained from these technologies, seldom do we take a step back and examine what we lost due to the same reason. In this article, we will take a different perspective to explore how corporates put themselves in more vulnerable positions with higher exposures to cyber security attacks targeting their employees, intellectual properties and other mission critical systems, and what we should do in order to secure our digital assets without compromising the benefit we have been receiving from Enterprise Mobility.
In our daily operations involving Enterprise Mobility, checking email is essential, checking email on smartphone is even easier – especially when you do not need to worry about logging in with your complex passwords every time you launch the email app (assuming your corporate did not deploy a tailored email app). You respond faster to emails because your smart device has remembered and logged in for you automatically, but this convenient feature naturally turns your smartphone (be it a personally owned or corporate owned) into a low hanging fruit in the eyes of hackers. Imagine when you connect your smart device to a free Wi-Fi hotspot available to the public that is shared with other users, including hackers. Is the data flow between your smart device and the email server secure? While corporates have encrypted the data in-transit, hackers may still be able to steal the data - including your email credential by using various techniques such as “SSL certificate impersonation”.
"While we focus on what we have gained from these technologies, seldom do we take a step back and examine what we lost due to the same reason."
Enterprise Mobility is more than checking email on personal smart devices; you may be using multiple native mobile apps to view business reports, claiming or approving expenses, or reading sensitive documents on a smart device, while waiting for your next flight (or favourite beverage) in a lounge, you can get things done with your thumb. The same piece of business data gets to flow to your smart devices, and probably other places that are beyond the expectation of corporates (or data owners), such as third-party cloud services. The increase of data flow could also lead to more data leakage scenarios. While we are using the smart devices as if they are our personal computers or laptops, are they at the same level of security (or at least configured in the same manner in terms of security?
Corporates are often under an impression that deploying and configuring Mobile Device Management (MDM) tools is the only way to secure employees’ smart devices and the business data resided. This type of management tools allow the administrators of your corporate to manage both the smart devices and in-house apps effectively (e.g., remote wiping the enterprise apps on a leaver device). It is not uncommon to see in-house developers or application owners neglecting mobile application security due to the implementation of MDM, resulting in introduction of additional security vulnerabilities to their companies. These vulnerabilities, when exploited by malicious users or hackers, can result in reputational, financial and operational damages.