This is a guest post by Mark Bower, Vice President, Product Management at Voltage:

Once mostly prohibited by IT, smartphones and tablets—such as Android-based phones and Apple iPads—are now being used by hundreds of millions of employees worldwide to access, transmit and store corporate information in today’s 24×7 business environment. This “extended enterprise” introduces new challenges and complexities for IT. Not surprisingly, security has emerged as the No. 1 challenge posed by the BYOD (“bring your own device”) trend.[1] IT organisations are concerned with device loss, data leakage and unauthorised access to corporate resources, as well as the growing use of “guest access” to corporate networks.

In response to these perceived risks, organisations have begun implementing a range of data security measures. Traditional approaches involve perimeter-based security controls such as firewalls and smart screen filters. But no amount of perimeter defense can protect data accessed by and subsequently stored on and transmitted by smartphones and tablets, especially outside of enterprise control.

Five Things To Know About Mobile Data Security

There are the three mission-critical areas in which mobile data must be protected without disrupting user productivity:

· To protect e-mail communication that contains sensitive information and is subject to regulatory compliance.

· To protect sensitive business data and files.

· To protect transaction data captured by new mobile payment methods.

Even as security threats loom, informed organisations have an advantage. These five tips can make or break mobile data security efforts:

1. It’s all about securing data.

In an ideal world, sensitive data travels in welldefined paths from data repositories to a wellunderstood set of applications. In the real world, however, data travels everywhere, anytime, with constantly shifting applications running on an evolving set of platforms. The data lifecycle is often complex, extending beyond the container and the application—even outside the enterprise into offsite backup services, cloud analytic systems and outsourced service providers. Not to mention the onslaught of user-owned devices making their way into the fold. So although armoring applications and devices is one dimension in establishing a defensive posture, it isn’t the entire answer—nor is the installation of security solutions from a wide range of vendors. There will be security gaps that eventually impede enterprise risk management and user productivity. Rather, data security is a multi-pronged risk challenge that requires a datacentric approach across all dimensions.

2. Assume you’ve been breached.

That’s the unsettling opinion of Shawn Henry, the U.S. Federal Bureau of Investigation’s top cybersecurity officer. Henry, formerly Executive Assistant Director at the FBI, told The Wall Street Journal that current approaches to fending off hackers are “unsustainable.”[2] FBI agents increasingly come across data stolen from companies whose executives had no idea their systems had been accessed. “We have found their data in the middle of other investigations,” he told the Journal. “They’ve been breached for many months, in some cases years, which means that an adversary had full visibility into everything occurring on that network, potentially.” The challenge is only compounded by the proliferation of smartphones and tablets. Henry said companies need to make major changes to avoid further damage to national security and the economy.

3. You don’t need an entirely separate strategy to protect your mobile data.

Mobile devices are endpoints that require the same attention that is given to PCs and laptops. Many of the same processes and policies that are leveraged for PCs and laptops are applicable to mobile platforms. Still, mobile devices are built for connectivity; the personal nature of these devices, combined with the inability to regulate or monitor user activity, means that the focus of protection must change. Simply adding another “point solution” isn’t the answer. Enterprises need to make mobile data security part of their risk management strategy—consistent with desktop and laptop security—without compromising the user experience.

4. You don’t have to forfeit usability for security.

The primary purpose of smart device adoption is to improve productivity for a geographically distributed and highly mobile workforce. Security mustn’t be a barrier to productivity. Still, current mobile security solutions focus on creating boundaries within the devices on which data can be stored and accessed. When encryption is used, it’s typically non-user-friendly, non-application-specific and lacks granular policy controls. Additionally, it usually relies on a traditional key management approach that requires massive investment to scale in today’s environment. Security for mobile data must be as transparent as possible without losing effectiveness, and it must not intrude on familiar user experiences—yet it has to provide IT with the control it needs in order to ensure security at the data level.

5. Compliance doesn’t equal security.

Compliance relevant to IT systems is now being extended to mobile devices—and for very sound data risk reasons. Companies must understand how these same data privacy, regulatory compliance and risk management practices should be applied to the mobile and cloud platforms. But being certified compliant or using solutions that help achieve compliance doesn’t always translate into effective data security. For example, a desktop computer stolen from a California health care organisation was password-protected but unencrypted. The theft potentially exposed the personal information of nearly four million patients.[3]

Mobile Security In The Real World

Over the years, companies have taken numerous approaches to mobile security. These have ranged from banning such devices altogether from the corporate network to remotely “wiping” corporate data in the event of the loss or theft of a device, to adopting a “container” approach to protect mobile apps and data. None of these approaches is satisfactory. In a data-centric approach to mobile security, data (both structured and unstructured) is encrypted as soon as it’s acquired. It remains encrypted as it is used, stored or moved across data centers, public and private clouds and devices, to be decrypted only by the intended party. The goal is to devalue or “kill” data, so that even in the event of a breach, the encrypted data will have no value to cybercriminals. And data is protected without disruption of user productivity.

Take Action Now

Mobile devices aren’t going away, and BYOD and “the consumerisation of IT” aren’t fads. These trends are quantifiably improving corporate agility, but the security risk is real.

Traditional security approaches lock down the infrastructure, but that’s not the target for today’s cybercriminals. They want sensitive data, which is valuable; easily monetised; and increasingly on the move, into and out of IT infrastructures. And they fully understand where and when to find “data in the clear,” when it’s most vulnerable, and they’re willing to wait.

That is awesome from an efficiency and productivity perspective, but it also exposes sensitive data and network resources to new risks. In a nutshell, if users can access the personal information of customers from the other side of the world through their smartphone, so can a cyber criminal. If your users can connect to internal network resources from an ultrabook or tablet, then so might an attacker–particularly an attacker that possesses a stolen laptop or tablet that’s already configured to access your network.

It’s a brave new world, but one that requires awareness of the new risks it imposes, so you can properly protect mobile devices and take advantage of the benefits with confidence and peace of mind. Pankaj (PJ) Gupta, CEO and Chief Architect at Amtel–a company that offers an integrated Mobile Device Management and Telecom Expense Management platform for enterprises–shares his thoughts on the top five mobile security threats, along with tips to mitigate and minimize the risks.

1. BYOD—Allowing employees to use their personal devices either in the company setting or to conduct company business can be a recipe for disaster. Aside from the risk of mixing business and personal data, photos, social media activity and more, allowing access to corporate data on a device or network that the company does not own or control can easily allow sensitive information to fall into the wrong hands. Establishing specific rules and guidelines or placing access restrictions on the use of company information and/or apps on employee-owned devices is the first line of defense in thwarting the BYOD risk.

2. Apps management—While there are thousands of incredibly helpful apps on multiple platforms, there are also many that have no place in the corporate environment, from either a productivity or security standpoint. To ensure company data is uncompromised, use a whitelist/blacklist program and software that controls and/or monitors app use to manage what’s available and/or accessible.

3. Productivity drain—While not exactly a security threat, time wasted on games, social networking and other leisure apps can be a serious threat to productivity and competitive position. Geo-fencing, or the use of GPS location boundaries to secure/restrict access to certain apps can solve the problem. For example, companies can set up a geofence that disables Angry Birds and Cut the Rope while within the office building. Geo-fence technology can also be used to restrict features on the device, prohibiting the use of the camera in areas where trade-secret equipment or sensitive documents are kept, for example, or enabling access to data-heavy apps only when Wi-Fi is available to control data costs.

4. Content sharing—Companies may want to be selective about the type of content made available on mobile devices. For example, investor documents, proprietary information and other sensitive material can fall into the wrong hands if the device is lost or stolen. The use of content-sharing controls can secure access to those documents, as well as push automatic updates as documents are changed, to ensure the latest version is always available. Sharing controls can even restrict the ability to transmit documents via a mobile device without proper authorization.

5. Password security—It’s hard to believe that in 2013, passwords are still an issue. Yet, some reports show that roughly half of mobile phone users don’t use a password to protect their device. For those that contain corporate apps or access to company data, that’s a huge security hole just waiting to be exploited.  Use of a containerized solution can plug the hole, requiring a separate password or PIN to access corporate data, regardless of whether the device itself is password protected.

I agree for the most part that these are five of the top issues facing organizations when it comes to effectively embracing mobile computing without compromising security. I recommend reading Five Steps to Creating an Effective Mobile Device Policy, and 5 Essential Capabilities of an MDM Solution.