With an increasing number of employees bringing their personal mobile devices into the workplace, organisations will have to adapt their security considerations.While businesses might have a good awareness of general security for IT systems and data networks, mobile endpoint security can often be a wide gaping hole in the defence. This seems to be the case for New Zealand companies, still adjusting to the changing ways of accessing corporate data.Geoff Cossey has been Director and Chief Executive of the New Zealand security software company Chillisoft since 1998. He tells IT Brief that his experience is that mobile access security is not a high priority in New Zealand yet, which he says could be due to the still relatively high mobile data costs limiting extensive business usage."In general, New Zealand businesses understand most of the external risks and use reasonable anti-virus, firewalls etc. But as a culture we're very trusting and naive about internal risks such as employee data theft,” says Cossey.The small and medium sized companies dominate the New Zealand market, but Scott McKinnel, Regional Director Australia and New Zealand for the international IT security company Check Point, warns that smaller does not means safer."The New Zealand market has the advantage of being made up of smaller organisations, which makes security easier to manage. However, security awareness tends to be much better in the larger enterprises and the managed services community,” says McKinnel."This leaves SMBs open to threats, which are just as likely for a small company as a large one.  SMBs still lose phones and laptops and are exposed to botnets,” he says.Catalin Cosoi, Head of the Online Threats Lab at the security software provider BitDefender, said organisations need to develop corporate policies under the assumption that mobile devices such as tablets and smartphones will be the norm, rather than the exception. But he stresses that employee awareness is crucial."The most comprehensive IT policy would be of no use if employees are not aware of the importance of securing their devices against data breach,” Cosoi points out."Training and awareness for employees are critical, particularly situational awareness training. Make sure that employees are aware of potential scenarios that may result in a data breach, and provide them with guidance on reporting or escalating these scenarios to their line managers and the IT team,” he says.Many employees will be aware of the risks involved with the internet and applications on a desktop or laptop, but may be surprised to know the same risks exist on a mobile device and that mobile devices can introduce risk to the core network and systems as well.McKinnel also sees employee awareness as critical, and says it has to be extended beyond the IT department, so that all staff understand how best to manage their technology to keep it safe."It’s important to have more than one or two trained security staff in an organisation.  At a bare minimum, employees need to have an understanding of data classification – about what information is highly confidential and unsuitable for external sharing."The IT department should empower the employees to manage this themselves. Systems shouldn’t be there to hinder employees, but to guide and educate them in plain English on what is and isn’t appropriate information to send. People need the context around the information and instructions they are given,” McKinnel says."IT should take an advisory and monitoring role, so it can be a teacher rather than a police officer,” Looking at the big pictureAaron McDonald, Business Manager Mobility for the security provider Gen-i, suggested not all IT departments have fully grasped the impact that new mobile devices can have."Many CIOs would be very surprised by the level of company information that can be directly accessed or stored on a mobile device. It is often something overlooked in the security assessment landscape. With mobile smart phone devices being more powerful than some common desktop machines, mobile security mobile needs to be lifted up the list of risks."The temptation is to take a locked down approach to the types of devices allowed in the workplace in order to narrow the scope of learning for the ICT teams. This is becoming increasingly difficult as users who are tech savvy want to be able to bring the tools they use at home to work and keep up with the latest technologies,” says McDonald.To fully meet the changing security requirements, Check Point’s Scott McKinnel suggests keeping an eye on the bigger perspective."CIOs should think about their security holistically. They should aim to reduce the number of vendors and the number of systems. This will give them better leverage with vendors and improved purchasing power. It also saves on training costs and reduces the potentials for misconfiguration and incompatibility,” he says."The more components you have, the more likely you are to have interoperability challenges. When businesses experience a breach, having many multiple security products in place makes remediation much more difficult.”McKinnel recommends a mobile enterprise security policy should include guidance on data classification and do’s and don’ts for users, and says there should also be intervention for context."For example, it may be fine for the CFO to email financial results to an auditor, whereas it would not be appropriate for a business analyst to send that information to a stock broker,” McKinnel says.Shifting responsibilityOne of the reasons to consider formulating a policy for mobile security could be to establish where the accountability and responsibility for keeping sensitive corporate data secure really sits.Somewhat controversially, the global analyst and consulting company Ovum stated in December, during an address to businesses in the Asia Pacific region, that it believes there will be a shift of accountability for security away from IT departments to the business, technology providers and employees – with ambiguity inevitable.Ovum principal analyst Graham Titterington told IT Brief that the shift comes from the growth in compliance demands, which has major business consequences for failure. He also sees the way in which IT is central to business delivery, and not just an administration tool, as an important factor driving the change."IT departments will continue to be more reactive than proactive to security, especially in areas like securing end-points. In that sense, the departments will increasingly need to be able to live with a degree of uncertainty in their IT security, particularly as alternative delivery models such as public cloud computing are adopted with increasing fervour”, says Titterington.Geoff Cossey from Chillisoft agrees that the responsibility for IT security should not only be positioned within the IT departments, but at least shared with the rest of the company."I'm surprised that data security is almost exclusively considered an IT problem, and not more shared with HR as a training requirement. Many IT security breaches are ‘social engineering’, whereby people are duped into doing something such as authorising the installation of malware. In such cases technology solutions are only part of the solution,” says Cossey.