In an age when smartphones and tablets have quickly become the portable technologies of choice, companies are feeling the pressure to go mobile with their data and business applications. The convenience of mobile technology -- and for corporations, mobile ERP -- is hard to deny, but there are trade-offs. Employees want access to information on the go, while IT departments may fret over mobile security holes. Especially sensitive data might have to be made off-limits altogether. Given all this, do the benefits of mobile financial applications justify the risks?
Industry experts agree that the decision to go mobile with financial management applications should be made on a case-by-case basis, and only after constructing a thorough business plan. “It really depends on your organization,” said Jack Gold, founder and principal analyst at Northborough, Mass.-based J. Gold Associates. “If you’re truly increasing productivity in the field [with mobile financial applications], then yes, you should go for it. Far too many companies are just throwing information out there because mobile is cool. Not everybody should go mobile, and not every user should have mobile access, just like not every user should have access to, say, the SAP system.”
More on mobile ERP
Read more mobile security tips
Get IT ready for mobile business applications
Write RFPs for mobile ERP and BI
Chris Silva, an industry analyst at San Mateo, Calif.-based Altimeter Group, points out that mobile users often don’t treat corporate data with the same care as personal data. “You’ll see users more willing to take risks and put company financial data on their mobile device, when they wouldn’t put their own financial data on there,” he said. “On the consumer side, near field communication is becoming a big thing that is being looked at by users concerned about security, especially after incidents like the Google Wallet program being breached.” Though the communication range of near field is much shorter than Wi-Fi or other mobile networks, it is often seen as more secure, according to Silva.
Mobile financial applications: Examining the risks
The security risks associated with mobile financial applications are much like the risks associated with any mobile ERP system, but when financial data is in play, the stakes are often higher, industry watchers say.
“Your ultimate goal is to make people more productive while limiting your company’s risk or exposure,” Gold said. “The problem is that with any mobile platform, the security it comes with is lacking, unless you alter it yourself. Android is probably the worst right now, though the iPhone also has security problems. BlackBerry has been the standard for business for longer.”
The growing popularity of the BYOD -- “bring your own device” -- model creates additional mobile security risks. “Most organizations have people using their own mobile devices,” Silva said. “Research by iPass suggests that 75% of companies don’t have policies to control those personal devices. So these organizations are lacking device encryption, passwords and standard enterprise-level protections that would be on laptops or desktops. With rich media-centric devices, people are using more high-speed networks, meaning Wi-Fi, which often means unsecured. [With mobile] I’m exposing my financial data to more risky networks than I would usually be doing.”
But BYOD isn’t solely to blame for companies’ mobile security risks, according to Philippe Winthrop, founder and managing director of the Boston-based Enterprise Mobility Foundation. “BYOD started as an attempt to reduce expenses, as people were expecting to be able to bring their iPhones into the workplace. It frankly doesn’t matter if a device is owned by the company or not. BYOD COPE -- 'corporate owned, personally enabled' -- is an option that is the mirror image of BYOD. It’s about how to secure somebody else’s device versus how to allow an employee to do what they want and personalize a corporate device. As long as there is corporate data on it, any device needs to be secured up to company standards.”
Mitigating mobile security risks
According to Winthrop, there are two components to keeping mobile financial data -- and all other business data -- secure: mobile device management and mobile application management. The physical hardware has to be managed and secured; simultaneously, companies must be able to deploy, secure, install and uninstall applications.
“Mobile device management is being used incorrectly as an umbrella term,” he said. “What they want to say instead is EMM -- enterprise mobility management -- which includes security, help desk and application management. Application management is all about pushing out and updating apps from the mobile device, security protocols, enforcement of passwords, data encryption. There is no gray line when you’re looking at corporate data. Who owns it? The company. Hence it has to be managed and secured.”
Gold emphasizes the importance of making a “risk profile” before starting with mobile financial applications. “Are you in a regulated industry? Are you dealing with very sensitive info? Will you go to jail for losing that data? Think about who really needs to have access to this data; you almost need to create a matrix of who has access to what. Finally, set appropriate policies within your organization -- written down, not word of mouth -- to decide who gets access to what data. Get your security experts involved up front, and maybe even HR and legal.”
Having a corporate plan in place will take the guesswork and panic out of mobile security issues, said Gold. “If somebody is walking around with important financial data on their device, you need ownership of that data. You need to set policies and procedures for how you deal with that data. If the device is lost, you need to be able to wipe it. If the person leaves the company, you need make sure the data doesn’t go with them,” he said.
New security-focused applications are also springing up to address mobile concerns, Silva said. “We’re seeing vendors put forth presentation tools -- tools that use a secured website or native tool that is unique to the user, but doesn’t leave any data or traces on the device. Some companies are putting in security that allows you to sandbox information so the data is stored very securely in one area of the phone.”
“These initiatives are focused on specific data programs, rather than the entire phone’s security. I don’t expect to see the handset makers go through that rigorous process at a platform level, but I do expect to see application vendors carry the flag for best practices in device security,” Silva said.