- Give users some accountability. Users that specifically circumvent or ignore security policies, or otherwise fail to observe common sense precautions, should be subject to disciplinary action.
- Make it clear what is at stake, including the user's own information. If the company loses a device with confidential customer data on it, the firm's reputation could be damaged, affecting revenue growth in the long term. Many users also store personal information, such as credit card numbers or other sensitive data, on PDAs and laptops, which gives them additional incentive to protect the information. Losing a laptop or even a PDA can also be extremely disruptive to the user if data is lost or temporarily inaccessible.
- Give users the necessary tools and easy means to secure the devices. Make certain that tools are available and easy to use. For example, passwords and other authentication mechanisms should be easy to configure and use; encryption - if needed - should occur without user intervention or decision-making.
- Raise awareness by demonstrating real security risks. Training sessions should show users how susceptible mobile devices are to theft and loss and what steps they can take to reduce risks. Incidents like the laptop thefts described above can help illustrate the risks and potential damage to the company.
The Issue Of Personal Mobile Devices In The Enterprise
Employees should also be encouraged to contact IT if they want to use a personal mobile device to access corporate applications or data to learn what kind of support will be provided. In this way, IT also can build an inventory of these items to determine the most popular types of devices, along with their features and functions. And informal employee registration of personal mobile devices with IT will potentially help the organization create an early-adopter resource list that could be used when revising mobile device standards and procuring services.
Companies that have not yet developed a mobile usage and security policy will also be able to reduce and address security risks by learning more about who is using which types of mobile devices to access the network.
Consider implementing company-subsidized and lease-to-purchase mobile device plans for employees. In this way, as company-issued mobile hardware reaches the end of its life cycle and is written off the accounting books, employees could be offered the option of owning the device that they have been using at no cost. This approach would also allow IT to retain some level of control over access to the network off-hours - assuming employees agree to use the software provided by IT for this purpose.
Selcting Mobile Management and Security Tools
Companies should select mobile management and security tools based on user requirements and overall security risks posed by the mobile devices. The following technologies should be evaluated for deployment:
- Asset discovery to identify and track devices on the network. The tool should allow IT to track any mobile devices that connect either directly to the corporate network or via a synchronization cradle attached to a PC. The latter feature can be especially helpful in identifying noncorporate devices.
- Synchronization tools for PIM, email, or enterprise data. The tools should be able to support managed, server-based synchronization.
- Application deployment and update capability for enterprise applications that are deployed to mobile devices. These tools should be able to deploy and update applications to devices both inside and outside the firewall, as well as devices that connect via a synchronization cradle. If mobile devices are only used for email and PIM, synchronization tools are sufficient.
- Antivirus. As the threat of viruses and malicious code on mobile devices grows, antivirus will quickly become critical. The major antivirus vendors now support mobile devices.
- Password policy enforcement. While laptops are more likely to have managed password policies, PDAs are often left at the mercy of the user, as illustrated by the BlackBerry sold on eBay last year. Handheld devices are increasingly likely to have sensitive data on them and are even more vulnerable to loss or theft than laptops.
- Remote device kill for any PDAs, laptops, or tablets with potentially sensitive data. This can take one of two forms. Password policies can be configured to perform a hard reset on the device after a certain number of failed login attempts. Some tools, including Sybase Afaria (formerly XcelleNet) and Novell ZENworks for mobile, allow IT to send a hard reset command to a missing device as soon as it attempts to connect to the network.
- Encryption. Laptops in particular are likely to have much more sensitive data stored on them. The thefts reported earlier this year by financial services firms clearly demonstrate the need for encryption tools.
- Client firewalls. These are critical for laptops that routinely connect to open networks and are vulnerable to network worms or other attacks. Tablet PCs running Windows XP will also be vulnerable to similar attacks, and over the next 12 to 18 months, PDAs will become increasingly vulnerable and will benefit from client firewalls.
Most companies will only need to deploy a handful of features. Companies should deploy technology based on the firm's requirements and overall need for security. This should be based on the nature of the information stored on the devices, and how vulnerable the devices themselves are to loss, theft, or other security risks. The mobility and information value categories are defined below (see Figure 2-1). Based on these definitions, companies can select appropriate technology for deployment (see Figure 2-2).
Recommendations: Take Immediate Steps to Secure and Manage Mobile Devices
Mobile management and security is a critical issue that companies should address immediately by taking the following steps:
- Select mobile management and security technology based on user mobility and the risks posed by potential information loss. All laptops should have client firewalls and enforced password policies.
- Start a user training and security awareness program and target high-risk employees. Employees that handle sensitive information or travel frequently should participate in mandatory security training. Tools like firewalls and password management should be easy to use and understand.
- Review the policy and technology requirements at least annually to assess new risks or requirements. New technologies, such as the introduction of PDAs or USB drives to the mass market, or the proliferation of broadband access from hotel rooms, coffee shops, and airports, can lead to new security threats or manageability issues. It is important to assess the state of the market and the relative threats to the company's information assets on a regular basis.