Introduction
Computing devices and the internet are two of the most important inventions of the 21st century. These technological breakthroughs have had a great impact on the personal and professional lives of people all over the world. Mobile devices are some of the equipments that utilize computing technology and the internet to provide communication services.
Many organizations have exploited computing devices to increase their productivity. The last decade has witnessed a prevalence of mobile devices in the corporate environment. Glisson and Storer (2013) state that mobile devices have become ubiquitous in the information rich corporate environment with most corporations increasing their usage of these devices each year.
This observation is corroborated by Friedman and Hoffman (2008) who declare that mobile devices have become important tools for organizational productivity.
While mobile devices have increased the efficiency of employees by enabling them to access organizational information and services at any time and from any location, they have created some security concerns. Mobile devices have a potentially negative impact on the cyber security of an organization and as such, special attention should be given when using mobile devices in the organization.
Security Impact of Mobile Devices
The very popularity and extent of the use of mobile computing devices and the internet creates a special vulnerability to businesses. Computing devices and the internet have been used expansively by businesses since their invention in the mid 20th century. Many businesses exploited the efficient information processing ability of computers to gain a competitive advantage.
Historically, computing devices were restricted to desktop systems that could only be used within the organization’s environment. Wired technology was the primary means through which the system communicated (Bernik & Markelj, 2012).
However, there have been incredible developments in technology recently, in the form of wireless technology and mobile computing, which has changed the manner in which organizations access their information. Mobile communication began as a voice service and over the decades, it expanded to include data transmission and today we have 4G mobile communications (Dong, Joo, Chae, Wan, & Yoo, 2013).
These developments have made it possible for employees to have constant access to data and information. Purchases of mobile devices have already reached the billions and these devices have surpassed the personal computer as the prevalent method for accessing the internet (Patten & Harris, 2013). This prevalence of mobile devices has exposed organizations to a wide number of security risks.
In addition to the popularity and widespread use of computers by organizations, the ease of use and the compact nature of these devices is another thing that increases their vulnerability to attack. Mobile devices introduce security risks from the physical loss of the devices as employees move from the workplace to their home or client location.
This threat of loss is arguably the most important cyber security risk since it can expose the organization to significant losses. Employees store important information in their devices to enable them to work outside the office. Loss and theft of the hand-held device can lead to significant damage to the organization.
Friedman and Hoffman (2008) document that an organizations sensitive or intellectual property can be accessed by cyber-criminals once the devices are stolen. Keunwoo, Woongryul and Dongho (2012) confirm that there have been numerous cases of confidential business information being leaked through mobile devices. In addition to this, the devices can expose the company to external attacks.
Since the devices might be linked to the organizations database, they might provide an intruder with access to the domain and server system of the organization. When using non-mobile desktop systems, the risk of theft is minimal since most organizations implement good physical security to their offices. For sensitive information, organizations utilize state of the art security measures including biometric security systems.
Besides the risk of being stolen, mobile devices also expose the organization by decreasing its ability to protect itself from cyber attacks. The internet is rife with security risks ranging from viruses, worms, and hacking attacks. An organization has to employ security solutions to protect its IT infrastructure from these threats.
When dealing with non-mobile desktop systems and servers, the organization can implement a perimeter defense such as firewalls and intrusion prevention systems (Glisson & Storer, 2013).
These security measures ensure that the organizations computing infrastructure is safe from attacks. However, these strong security solutions cannot protect a device once it is outside the corporate perimeter. The mobile devices therefore suffer from an increased vulnerability to external attacks.
Another way in which the security of an organization is compromised due to mobile devices is by the introduction of the risk of interception of communication. Mobile devices make use of some form of wireless communication. These communication formats include cellular radio, wireless LAN, and Bluetooth communication.
Bernik and Markelj (2012) note that the internet is a crucial element of mobile devices with almost all of these devices providing a wireless connection to the internet. The various wireless communications available have differing levels of security. Friedman and Hoffman (2008) states that in the non-mobile environment, the organization can impose stringent security protocols to the wireless networks.
This security measures render the wireless network secure from external penetration. However, outside the controlled corporate environment, the mobile devices make use of unsecure networks including public Wi-Fi. Malicious elements can easily intercept the communication from these unsecure connections.
In addition to the risk of interception, mobile devices cause a negative security impact by increasing risk of access to sensitive information by unauthorized persons. In many causes, employees use their personal devices for business and personal purposes. This convergence of use presents a problem since the device might be handled by the employees’ friends who are not supposed to handle the organization’s information.
Bernik and Markelj (2012) observe that when wireless mobile communication devices are used, there is a blurring of the line between business and personal communications. This lack of boundaries can lead to sensitive corporate information being accessed by unauthorized parties through the mobile devices.
Addressing the Security Issues
Dealing with the cyber security risks introduced by mobile devices is imperative is organizations are to enjoy the benefits of these devices. A number of solutions have been proposed to mitigate or eliminate the security risks. Glisson and Storer (2013) state that organizations should implement specific security policies for mobile devices. All employees should be required to comply with the safety regulations.
These regulations should include preventive measures and protocols for device use outside the corporate environment. Bernik and Markelj (2012) assert that by implementing security regulations for mobile devices, an organization can ensure that all information technology is used safely.
Another way in which the security risks can be addressed is by having the IT department develop and implement a mobile device management (MDM) system that will ensure that the organization is able to comprehensively manage its employees’ devices.
Keunwoo et al., (2012) state that the mobile device management system should be able to monitor mobile access, identify threats and provide appropriate protection. Being able to identify the mobile devices increases the level of control the organization has over its IT resources.
MDM can also assist in preventing compromised mobile devices from accessing the network (Patten & Harris, 2013). This effectively reduces the risks that compromised devices might introduce into the main system.
Conclusion
Mobile devices introduce numerous cyber security risks to an organization that utilizes them. It began by defining mobile devices and highlighting why their usage has become prevalent in many organizations today. It then set out to show some of the inherent risks introduced to the organizations IT infrastructure by the devices.
From the discussions presented in this paper, it is evident that mobile devices present risks in the form of unauthorized access to sensitive information contained on the device, attacks from malicious elements, and ease of interception of data due to reliance on unsecure networks. Addressing these cyber security risks is critical if organizations are to enjoy the many benefits of having their employees utilize mobile devices.
The paper has shown that mobile devices can be safe if users are educated on the security risks and the devices are used in compliance with stringent safety regulations. However, if these measures are not employed, these devices will continue to be the cause of great security risks to companies.
References
Bernik, I., & Markelj, B. (2012). Unlimited Access to Information Systems with Mobile Devices: Information Security Perspective. International Journal of Education and Information Technologies, 6(1), 407-417.
Dong, W.K., Joo, H., Chae, T., Wan, S., & Yoo, J. (2013). A Practical Attack on Mobile Data Network Using IP Spoofing. Appl. Math. Inf. Sci. 7(6), 2345-2353.
Friedman, J., Hoffman, V.D. (2008). Protecting data on mobile devices: A taxonomy of security threats to mobile computing and review of applicable defenses. Information Knowledge Systems Management, 7(1), 159–180.
Glisson, B.M., & Storer, T. (2013). Investigating Information Security Risks of Mobile Device Use within Organizations. NY: Americas Conference on Information Systems.
Keunwoo, R., Woongryul, J., & Dongho, W. (2012). Security Requirements of a Mobile Device Management System. International Journal of Security and Its Applications, 6 (2), 353-358.
Patten, K., & Harris, M.A. (2013). The Need to Address Mobile Device Security in the Higher Education IT Curriculum. Journal of Information Systems Education, 24(1), 41-52.