Mobile phone security dos and don'ts

Is your enterprise security team struggling to keep up with the rapid proliferation of mobile phones? Five experts offer advice to help you secure everything from the BlackBerry to the iPhone and Droid.

By , Senior Editor

June 07, 2010CSO

It used to be a luxury to own a smart phone. Now everyone seems to have one, and can't seem to do their jobs without it. As the number of apps proliferate and the market floods with the latest flavor of BlackBerry, iPhone, Droid, etc., IT security shops face the fairly new problem of mobile phone security.


Also see "Mobile malware: what happens next?"


Here is a collection of do's and don'ts from five experts on securing mobile phones.


Joe Brown information systems security engineer, CISSP, McAfee
There are AV packages available for most smart phones. Same use caveats apply for phones as PCs -- If you don't recognize the sender, or there is a suspicious attachment, don't open it. Be careful where you surf. Some Web proxies do support mobile devices.

Bluetooth is evil! Control your bluetooth footprint. With iPhone, Droid and BB there are now products that can control the ability to add applications (think white listing or common operating environments).


Derek Schatz, senior security architect for a company in Orange County, Calif.
DO:

  • 1. Only deploy devices that can support key features like encryption, remote wipe, and password locking.
  • 2. Create specific security policy and procedure items for mobile devices that govern acceptable use, responsibilities (e.g. what to do if device is lost or stolen), etc.
  • 3. Monitor security vulnerability tracking feeds for new attacks on mobile devices.
  • 4. Ensure devices in the field can be updated quickly to fix security issues.

DON'T:

  • 1. Assume smart phones should only be given to senior management. Many staff-level positions can become much more productive with these tools.
  • 2. Deploy devices for enterprise use without proper protections and control. The loss of proprietary information can be very costly to the business.

Michael Schuler, Chicago-based systems administrator
DO:

  • 1. Define the purpose of having smart phones in the environment.
  • 2. Define the best roles for having smart phones in the environment.
  • a. Human resources should have a big part in this. Especially when it comes to salaried employees.
  • 3. Evaluate the products for security/performance features that fit your market.
  • a. Certain products/devices may not meet the security requirements of financial or government institutions.
  • b. How well does the product integrate with our existing infrastructure.
  • 4. Implement security policies based on what was determined from Step 3.
  • 5. Define what level of support you plan to provide if implementing different types of smart phones.
  • 6. Solicit info from similar companies who have already implemented what you are looking to implement.
  • a. Ask about how long they've been using the product for.
  • b. Find out if they're any pinch points that they didn't foresee.
  • 7. Build a test group of more than just IT staff to test your POC. Take usability information from IT and non-IT staff alike.

RESOURCE CENTER