Managing and Securing Mobile Devices

As the use of handheld devices in the enterprise continues to expand, organizations will need to manage the devices to control costs and limit security risks. Where a limited support policy was appropriate two years ago, IT must now take on a much more active role in provisioning, supporting, and managing mobile devices. Because many employees use their own devices to store company information or otherwise ignore company mobile usage policies, companies often don't have control of the devices, what information is stored on them, or how the information is protected. Unmanaged mobile devices represent one of the most serious and often overlooked security threats to the enterprise. As several incidents over the past year demonstrate, the risk of information loss or theft from laptops, PDAs, phones, converged devices, and tablets is increasing rapidly. Organizations should balance the growing requirement for mobility with sensible policies on mobile usage and security, along with technology to enforce the policies. While more organizations have mobile policies than two years ago, comparatively few companies have invested in technology to manage and protect the devices.

Mobile Devices Need to be Managed and Secured

The proliferation of laptops, PDAs, and other mobile devices in the enterprise, coupled with the explosion of wireless connectivity options, has led to significant support issues and security risks. Mobile devices are vulnerable to theft and loss, with most companies budgeting for a 20% or higher loss and failure rate for PDAs. While the cost of replacing the devices is relatively insignificant, more and more users store sensitive information on the devices. Additionally, mobile devices can introduce viruses or worms to the corporate network.

However, the majority of companies have not taken steps to address these issues. Based on a recent Forrester survey, only 9 percent of companies have deployed mobile management tools; another 20 percent are piloting or plan to deploy mobile management tools within the next 12 months (see Figure 1).

Given the significant risks posed by mobile devices, companies should take immediate steps to review mobile usage and security policies, and implement security and management tools. This report will outline both the challenges posed by mobility and the steps companies can take to manage and secure the devices.

The Proliferation of Mobility

Mobile devices are quickly becoming a strategic asset for many companies. Wireless email has become tremendously popular among mobile executives. Companies are also beginning to use connected mobile devices to deploy applications to the field for sales or other business tasks. However, the need for information access and mobility also creates a number of potential risks.

There are four categories of remote employees who work some or all of their time away from a corporate office. Each type requires a different approach by IT to mobile device provisioning, management, and support. These include: permanent or regular telecommuters; casual telecommuters and day extenders; mobile knowledge workers; and mobile task workers.

Many of corporate IT's challenges regarding provisioning and supporting remote workers, including predominantly mobile or untethered ones, can be resolved by articulating - and periodically revising - a formal written corporate mobile usage policy.

Risks Posed by Mobile Devices

Companies view security as one of the top priorities for supporting remote workers. However, most enterprises have done little to secure devices other than laptops. Even laptops are often at risk, in part because IT typically assigns Power User or Administrator rights to the laptop users. While almost all companies have developed mobile user policies, few feel that they can enforce the policies adequately.

It is only a matter of time before viruses, worms, and other malicious code become a serious problem, and attackers begin to target mobile devices. Theft and loss of devices, coupled with a failure to follow company policy, is already a significant (and again, overlooked) problem for many companies. Several publicized incidents over the past 12 months suggest the severity of the problem:

• In August 2003, a BlackBerry that belonged to a former Morgan Stanley executive sold on eBay for $15.50. The buyer discovered that the device - which had been sitting in a desk drawer without batteries for months - still had hundreds of internal confidential emails, as well as personal information about the former owner. Although Morgan Stanley had a policy stating that mobile devices were to be returned to IT for data cleansing, no one followed up when the executive left the company. While the email account was deactivated, old emails remained intact on the device.
• In January 2004, two laptops belonging to GMAC Financial Services were stolen from an employee's car. Although the theft appeared to be random, the company sent out letters to approximately 200,000 customers warning them of potential identity fraud; the customer's personal information had been stored, unprotected except for a Windows log-on password, on the laptops.
• In February 2004, a rental car was stolen from two Wells Fargo employees. Two laptops were in the trunk that contained confidential customer data. As with GMAC, the laptops were only protected by log-on passwords. Wells Fargo sent letters to thousands of customers notifying them of the potential for identity fraud.

Viruses, worms, and spyware, all of which mobile devices are potentially more vulnerable to, also pose significant risks. However, Forrester believes that device loss and theft pose a much more significant threat to enterprise laptops and PDAs than most customers realize.

Organizations should take immediate steps to review or implement mobile device usage and security policies. Password enforcement, remote device "kill" capability, virus protection, and secure connectivity capability are readily available and can reduce mobile security risks. However, managing mobile devices is a complex task that requires careful consideration.

The Challenges of Managing Mobile Devices

There are several challenges associated with managing mobile devices:

• Mobile devices are often outside of the enterprise network. The devices may connect over unsecured networks, or reside in a disconnected state where they can't easily be touched by management tools. More sophisticated local management agents can enforce policies and manage the device without connecting to the corporate LAN.
• PDA operating systems are not designed with enterprise support in mind. The devices are difficult or impossible to upgrade, and relatively few security patches are released for the major mobile device platforms.
• Users often bring in their own devices without IT oversight. In many cases, employees - particularly executives - may expense a mobile device purchase and connect it to their machine using desktop synchronization tools. If users have administrative rights - as many knowledge workers and laptops users do - they will easily be able to install the synchronization software. If the company is not willing to set and enforce standards, the costs and risks associated with the mobile device population could quickly spiral out of control.
• It is easy for users to load potentially sensitive information on to devices. Even if the company has policies regarding mobile device usage, users often have a significant degree of control over what data and files are carried on mobile devices, including laptops, PDAs, and USB drives.
• Some users try to get around the system. Executives and knowledge workers, in particular, are prone to circumventing policies or even technology, especially if it inconveniences them. These users are the most likely to bring their own devices in to the enterprise, and they also frequently handle sensitive information.

Managing and Securing Mobile Devices: Best Practices

Companies should base decisions about mobile security on overall risks to the enterprise, rather than simply a perceived need for security. Clear deployment and usage policies, coupled with user training on security and an annual review of the company's mobile security policies, can help companies make intelligent investment decisions and limit risks.

Mobile Usage And Security Policies

Companies should have a clear, consistent, and enforced policy for mobile device usage and security in the enterprise. Executive support for the policy is critical, especially since the executives will likely be among the most prolific mobile users. Mobile device usage policies should:

• Be convenient and easy for the user to follow. If it is disruptive or requires too many extra steps, users will almost certainly find ways to circumvent the policies.
• Balance productivity requirements against security and costs. Companies that have less stringent security requirements do not need to invest as much in mobile management and security tools. The policy can also reflect the relative need for security.
• Vary by the users' roles and type of information they handle. A delivery truck driver may be inconvenienced by a strong password policy and might not even handle confidential information; a software engineer for a video game company might work with extremely sensitive code for an unreleased product on a laptop; a pharmaceutical company account manager might carry potentially sensitive information about products, pricing, doctors, and patients on a PDA (and could be subject to HIPAA regulations). A single mobile usage policy is not appropriate for all of these users.
• Specify how users should synchronize information with mobile devices. The synchronization policy should cover the means, the process and, potentially, the content to be synchronized. Server-based synchronization tools, rather than desktop tools, provide a centrally managed context for delivering information to devices.
• Include guidelines for data usage and transfer. This is particularly important for portable USB drives, flash memory cards, and writeable CDs and DVDs. It is difficult to enforce portable storage policies with existing technology, but as USB drives and flash memory become more prevalent, it is important to address these issues in the usage policy. Users should not be prohibited from carrying confidential information on unencrypted USB drives or other removable media.
• Summarize proper use and care of company-owned or -supported mobile devices. This should include security guidelines specific to mobile devices, such as password and authentication requirements, the use of locking devices for laptops, and general guidelines for safeguarding devices.
• Have a definition of corporate standards for hardware selection. One of the more common questions asked by IT managers is, "What devices should the enterprise support?" Support for multiple devices is going to be the rule, not the exception. It must be clear what the organization will or will not support and who is responsible for that support. The policy should include the hardware vendors and generic configurations supported, as well as the choice, for example, of a desktop PC and PDA or a laptop PC, depending on the user's expectations about what portion of his time he will spend in a fixed location (e.g., remote or home office), and what portion of time he will be on the road or untethered.
• Outline standards for support of employee-purchased equipment. Companies may choose to support employee-purchased devices, but they should not allow devices on to the network that cannot be managed, secured, or that otherwise are not part of the corporate standard.

Communication and User Education

Implementing an effective mobile device policy also requires regular communication with the users. Any changes in the policy and IT provisioning and support should be communicated to the users, along with short call-in training sessions that allow time for participants to discuss frustrating experiences and stories of successful support. By both communicating policies and providing feedback mechanisms, IT can reduce the number of help desk calls to IT by mobile workers and reduce support costs.

User education is also critical. Educating the users about best practices, particularly regarding security, can help reduce risks. If properly structured, half-day workshops and shorter online training sessions that focus on security threats and the actions users can take to protect themselves and the company can help reduce security risks. User education programs and policies should: