While smartphones are nothing new for the enterprise BlackBerries have long been standard knowledge-worker accessories the explosion of competing platforms, increased horsepower and ballooning Internet connectivity have ramped up their security risks.
A recent Aberdeen Group study found that the typical enterprise must deal with an average of 2.8 to 3.3 different smartphone platforms . Meanwhile, more than two-thirds of those surveyed noted that some or all employees were permitted to use personal-liable mobile devices for corporate use.
That some or all is telling. Sure, you can establish a policy blocking the average users mobile phone from corporate access. What happens, though, when its a senior executive who is bringing some new, untested platform onto your network?
Will you say no to your CEO?
Clearly, Mobile phones are no longer something that IT can shrug off as someone elses problem. They are simply too powerful and pervasive to ignore. If your organization is struggling to cope as smartphones invade the enterprise, these five best practices should help.
Treating a smartphone like a PC means installing endpoint security, enforcing device-side encryption, having policies in place for how to connect to corporate assets (such as through a VPN) and requiring strong authentication to unlock the device in the first place.
The gold-standard for secure smartphone usage is BlackBerry. The devices are encrypted, require passwords to unlock (although programs like UnlockIt are out there to bypass some of these requirements) and they can be controlled via the BlackBerry Enterprise Server, which gives IT the power to create and enforce more than 450 different policies.
The trouble is that knowledge workers arent satisfied with BlackBerries alone. iPhones and Androids are the new trendy gadgets, yet they dont have the security pedigree of BlackBerry.
Even if new platforms are relatively untested from a security standpoint, that doesnt mean they cant be secured. As with the PC, most smartphone users will likely get their security from third parties. A number of security startups already have smartphones in their sights.
These include authentication vendors, such as MultiFactor Corporation with its SecureAuth solutions and Entrust with Entrust IdentityGuard Mobile; mobile antivirus vendors like Lookout and DroidSecurity; and mobile device management solutions from companies such as Zenprise, Good Technology and Trust Digital.
Smartphone security products are out there, and its time for IT to start evaluating and adopting them.
Even though smartphones are becoming as powerful as PCs, they differ in important ways.
Despite the risks associated with these devices, the current threat landscape is still in its infancy. The greater threat involves a lost or stolen device. In this case, password protection, encryption and related security measures become the highest priority to ensure the device and its data are secure, said Khoi Nguyen, Group Product Manager, Mobile Security Group, Symantec.
Sure, laptops get lost and stolen, but its not really that common. According to Accenture, however, 10 to 15 percent of all handheld computers, PDAs, mobile phones and pagers are lost by their owners. This means that IT must expect these devices to get lost or stolen.
Besides password protection and encryption, IT should have the ability to remotely wipe or even brick phones. Even this, though, can be problematic.
According to Ahmed Datoo, VP of marketing at Zenprise, more often than not, users will delay reporting their device as lost or stolen, either in the hopes that they can retrieve the device or because they are embarrassed for losing it.
Every second of delay could mean the loss of sensitive corporate data. Providing users with an ability to wipe their own devices will significantly reduce the risk of both personal and corporate data loss, he said.
Another important difference is that IT does not own most smartphones, which makes enforcing security policies trickier. Many security experts recommend controlling what applications can be present on smartphones. Thats doable if the organization owns the phones, but its impossible when end users own them.