Enterprises that do not want to include mobile devices in their environments often use security as an excuse, saying they fear the loss of sensitive data that could result from a PDA being stolen or an unsecured wireless connection used.
Such concerns are no longer viable, said Kevin Burden, program manager for smart handheld devices at Framingham, Mass.-based International Data Corp. (IDC). There are technologies available to properly secure mobile devices that are endorsed by the National Security Agency, the CIA and the FBI. "If they are good enough for them, then they should be good enough for most companies," he said. "They just need to do their homework."
For example, there are ways to make devices lock or destroy lost data by sending the machine a special message. Also, some mobile devices have high-powered processors that will support 128-bit encryption, Burden said.
Mobile devices do pose unique challenges, from a security prospective. There are some general steps users can take to address them, like integrating security programs for mobile and wireless systems into the overall security blueprint, said Tim Scannell, president and principal analyst for Quincy, Mass.-based Shoreline Research Inc. Here are a few more suggestions from Scannell:
- Implement strong asset management, virus checking, loss prevention and other controls for mobile systems that will prohibit unauthorized access and the entry of corrupted data.
- Investigate alternatives that allow secure access to company information through a firewall, such as mobile VPNs.
- Develop a system of more frequent and thorough security audits for mobile devices.
- Incorporate security awareness into your mobile training and support programs, so that everyone understands just how important an issue security is within a company's overall IT strategy.
Perhaps the first step in securing mobile devices is creating company policies that address the unique issues these devices raise. Such questions include what an employee should do if a device is lost or stolen. Gene Fredriksen, vice president of information security for Raymond James Financial, said his company's policy includes notifying the appropriate law enforcement agency and changing passwords. User accounts are "closely monitored for unusual activity for a period of time," he said during a recent e-mail interview.
There are a couple of ways companies can go about creating policy for mobile devices. One way is creating a distinct mobile computing policy. Another way is including such devices under existing policy. There are also approaches in-between, where mobile devices fall both under existing general policies and a new one.
Raymond James Financial take this hybrid approach, where a new policy is created to address the specific needs of mobile devices (such as what to do if they are lost or stolen) but more general usage issues fall under general IT policies.
As part of that approach, the "acceptable use" policy for other technologies is extended to mobile devices. "There should not be a separate one for wireless, LAN, WAN, etc. ... That is a problem waiting to happen," Fredriksen said, noting that a properly written network policy can cover all connections to company data, including mobile and wireless.
Companies new to mobile devices may adopt an umbrella mobile policy but find over time that they will need to tweak it to match the challenges posed by different kinds of devices, Burden said. For example, wireless devices pose different challenges than non-wireless devices. Also, employees who use mobile devices more than 20% of the time will have different requirements than less-frequent users.
Over time, companies may create separate policies for mobile devices based on whether they connect wirelessly and with distinctions for devices that connect to WANs and LANs, he said.
It's never too early to start planning for mobile devices, even if a company can't afford them at this time, Burden said. The adoption of the technology has been slowed by the weak economy. But by contemplating its uses, companies may think of ways they can use it and, perhaps just as important, how their competitors will use it. "When the economy improves, your competitors will be executing their plans. If you don't have a plan, you'll find yourself severely behind the curve," he said.
FOR MORE INFORMATION:
- FEEDBACK: Has security been an excuse for your enterprise to deny mobile devices?
Send your feedback to the SearchSecruity.com news team.