Mobile devices such as smartphones that are proliferating across the enterprise, introducing a range of new data risks to organisations. These devices, which often hold sensitive corporate data, can easily be misplaced or stolen. Because they’re often purchased by employees rather than the company, it can be difficult to enforce specifications and usage controls. While most organisations track and control laptops using serial and asset tags, these policies are rarely applied to smartphones and other mobile devices.
Whose Device Is It?
One of the reasons deployments of mobile devices can be risky is that they are opportunistic. People are going mobile to suit their own needs, and the security of corporate data may be of secondary importance to them.
A company’s goal should be to incorporate a mobile strategy that encompasses the needs of the entire organisation and the various groups and teams within it. This strategy should be backed up by clear policies that govern issues such as data protection and information security.
The first step to introducing a mobile security policy is to determine who owns the device – the company or the employee? If the company owns the device, when can employees use it, and what can they use it for? The policies need to be fair and reasonable.
An obvious, but often overlooked point, is that organsiations need to be sure that the technology they deploy is liked by the users – if they don’t like it, they won’t use it. It’s therefore important to find a mobile platform that offers end-users choice in terms of the device’s form factor (text input method, size, look and feel), but still offers the company and IT department control to easily run and manage the platform.
On the other hand, if a company requires employees to purchase their own mobile devices, but at the same time heavily restricts the way these devices are used, it will breed resentment among its employees and struggle to get buy-in for its policies.
When drawing up mobile policies, an enterprise should start by thinking about the value of the information it is trying to protect. The assets on a smartphone may include passwords for online banking or corporate network applications, or even be as simple as customer names and contact details.
Ensure that policies are effective
Policies should be written in accordance to a company’s individual working practices and methods and not in isolation, because the people who are asked to use or enforce them may have differing opinions. A sole policy writer may also neglect things that are important to others.
Management should enforce and buy into policies or the implementation of them may be adversely affected. However, managers should be careful not to use their own handheld devices in ways that contravene policies.
Nuts and bolts
Writing policies is just the beginning. One also needs the ability to enforce them. Companies must be able to manage mobile devices in the same way they manage laptops – as corporate assets.
It is wise for an enterprise to standardise on a robust mobile platform that provides the configuration management tools it needs to manage and control mobile assets; configure its end-to-end mobile deployment; view or report on all device assets; ensure policy compliance through IT settings; and manage security.
The policies should encompass aspects of mobile device use, such as which applications will users be able to download and install, are there restrictions to using Bluetooth® that need to be considered, will data encryption be mandatory on all devices to protect data at rest, and what will your corporate stance be on media cards, cameras, Wi-Fi® and GPS?
The solution should be flexible enough to provide access rights to certain functions based on tiered administration roles from the “help desk” to the “full administrator”, and to accommodate the needs of different user groups.
Available policies should include commands that allow system administrators to lock or “kill” a handheld device. For example, if a user has misplaced their BlackBerry device, but expects to get it back, the administrator can render it temporarily unusable. If the BlackBerry device has been stolen, it can be permanently disabled and wiped to protect confidential data.
Backing up data on smartphones and PDAs is also becoming an issue. Handheld devices are frequently lost or damaged, so data loss and the associated loss in productivity can be a concern. Few organisations provide mobile employees with tools, training or guidelines covering data backup for these devices. Companies need to think about including back-ups in their policies.
It’s clear that the rise of the mobile workforce is putting more demand on IT departments for greater access to mobile devices and greater access to corporate data stores through those mobile devices.
Responsible companies recognise the inherent risks this carries, as well as the importance of creating comprehensive mobile policies for their organisation. No company can afford to neglect security policies for mobile users, especially given how quickly smartphones are spreading through the workforce.
Regional Director for Sub-Sahara Africa at Research In Motion (RIM)