For those companies in the process of drafting a mobile security policy, the key is to strike a balance between productivity and security. Theres a tradeoff, observes Egner. CIOs like the productivity of personal equipment, but they dont like the security.
Forresters Maribel Lopez notes that the best practices policy is for companies to restrict users to a few devices. But lets be realistic, she writes. Huge backlashes occur when IT wont allow executives who got the latest Treo or Motorola Q for their birthday to connect to the network. Rather than forcing employees to circumvent the system, an employee who purchases a device on the approved list should be able to register with IT to get it connected. However, they need to understand that IT will provide only limited support.
The Many Myths of Endpoint Security
IT, Security and the Legalese of Compliance
Restoring Online Privacy
Security Flaw Could Ground Wi-Fi Users|
Lopez recommends that a mobile security policy address three elements:
Mobility Framework Who can have a device? And which devices, operating systems, and applications will be supported?
Security How will devices be secured? How often should users reauthenticate? When and how will devices be neutralized if lost?
Device management and support How will devices be procured, managed and supported?
Making Enforcement a Priority
Unfortunately, the greatest mobile security policy in the world wont protect a company if the policy is not enforced. In an August 2006 study, The Ponemon Institute reported that 41 percent of the companies surveyed did not believe that they effectively enforced data security policies.
Ironically, the problems with enforcement start right at the top.
The members of the executive team are the worst offenders, observes Egner. They have the most sensitive information, and they are the most likely to be gadget freaks. Hes seen cases where companies end up with a double standardone mobility policy for executives and one for everyone else.
However, by taking a few relatively simple steps, IT can help reduce the number of employees at every rung on the corporate ladder from using unauthorized PDAs and other devices.
First, they can lock down corporate PCs to prevent users from installing their own software. This makes it harder for employees with rogue personal devices to sync their handhelds. Second, they should disable the USB ports on company PCs. This prevents employees from plugging in docking stations and also prevents the use of portable memory keys that can be used to take sensitive information out of the building.
Finally, one of the most effective strategies isnt a technical solution at all. A growing number of companies make it a policy to provide employees with top-of-the-line gadgets at company expense. That way, the IT department controls which devices employees are using, and employees are less tempted to use personal gadgets for work.