While smartphones are nothing new for the enterprise – BlackBerries have long been standard knowledge-worker accessories – the explosion of competing platforms, increased horsepower and ballooning Internet connectivity have ramped up their security risks.
A recent Aberdeen Group study found that the typical enterprise must deal with an average of 2.8 to 3.3 different smartphone platforms . Meanwhile, more than two-thirds of those surveyed noted that some or all employees were permitted to use personal-liable mobile devices for corporate use.
That “some or all” is telling. Sure, you can establish a policy blocking the average user’s mobile phone from corporate access. What happens, though, when it’s a senior executive who is bringing some new, untested platform onto your network?
Will you say “no” to your CEO?
Clearly, Mobile phones are no longer something that IT can shrug off as someone else’s problem. They are simply too powerful and pervasive to ignore. If your organization is struggling to cope as smartphones invade the enterprise, these five best practices should help.
1. Treat smartphones like PCs
Treating a smartphone like a PC means installing endpoint security, enforcing device-side encryption, having policies in place for how to connect to corporate assets (such as through a VPN) and requiring strong authentication to unlock the device in the first place.
The gold-standard for secure smartphone usage is BlackBerry. The devices are encrypted, require passwords to unlock (although programs like UnlockIt are out there to bypass some of these requirements) and they can be controlled via the BlackBerry Enterprise Server, which gives IT the power to create and enforce more than 450 different policies.
The trouble is that knowledge workers aren’t satisfied with BlackBerries alone. iPhones and Androids are the new trendy gadgets, yet they don’t have the security pedigree of BlackBerry.
2. Evaluate and adopt third-party security software
Even if new platforms are relatively untested from a security standpoint, that doesn’t mean they can’t be secured. As with the PC, most smartphone users will likely get their security from third parties. A number of security startups already have smartphones in their sights.
These include authentication vendors, such as MultiFactor Corporation with its SecureAuth solutions and Entrust with Entrust IdentityGuard Mobile; mobile antivirus vendors like Lookout and DroidSecurity; and mobile device management solutions from companies such as Zenprise, Good Technology and Trust Digital.
Of course, incumbent security vendors aren’t sitting this out. Symantec, Kaspersky, McAfee and Cisco have all released smartphone-related products.
Smartphone security products are out there, and it’s time for IT to start evaluating and adopting them.
3. Remember that smartphones aren’t PCs
Even though smartphones are becoming as powerful as PCs, they differ in important ways.
“Despite the risks associated with these devices, the current threat landscape is still in its infancy. The greater threat involves a lost or stolen device. In this case, password protection, encryption and related security measures become the highest priority to ensure the device and its data are secure,” said Khoi Nguyen, Group Product Manager, Mobile Security Group, Symantec.
Sure, laptops get lost and stolen, but it’s not really that common. According to Accenture, however, 10 to 15 percent of all handheld computers, PDAs, mobile phones and pagers are lost by their owners. This means that IT must expect these devices to get lost or stolen.
Besides password protection and encryption, IT should have the ability to remotely wipe or even brick phones. Even this, though, can be problematic.
According to Ahmed Datoo, VP of marketing at Zenprise, more often than not, users will delay reporting their device as lost or stolen, either in the hopes that they can retrieve the device or because they are embarrassed for losing it.
“Every second of delay could mean the loss of sensitive corporate data. Providing users with an ability to wipe their own devices will significantly reduce the risk of both personal and corporate data loss,” he said.
Another important difference is that IT does not own most smartphones, which makes enforcing security policies trickier. Many security experts recommend controlling what applications can be present on smartphones. That’s doable if the organization owns the phones, but it’s impossible when end users own them.
What IT can do is have policies in place for how users enter the corporate networks and access corporate data.
A third difference is the sheer complexity introduced by smartphones.
“When IT designed networks, they didn’t expect that users would be checking their mail from a desktop, a laptop, and a smartphone (or two),” said Alan DeKok, CTO of Mancala Networks. “This means that for a company of 1000 people, IT may have 3K-5K ‘end users’ to manage.”
Added users increase costs and decrease security as IP address pools become exhausted, VPNs fill up, and firewalls get overloaded. In order to address this problem, though, IT must get a better understanding of just what they are up against.
4. Gain network and device visibility
According to the Aberdeen report, the majority of organizations that allow employee-owned devices on their networks have little or no visibility into device usage patterns and telecom costs.
“Once an administrator has authorized a user to connect into the network with an iPhone, for example, the user does not need permission to add additional devices to the network. Without daily or weekly reports, IT has no visibility when a user switches their current smartphone for another type of device,” said Datoo of Zenprise.
Mobile management software helps in this instance. However, before understanding device usage patterns, IT must know what devices are on the network in the first place, which requires regular, thorough network scanning.
5. Embrace the cloud
According to Craig Lund, CEO of MultiFactor Corporation, the biggest threat from smartphones, even with policies and security software in place, is the lost device.
Corporate data roaming from work to home to coffee shops to airports to bars (look at how much trouble that lost iPhone prototype caused) will remain a problem no matter what security is in place.
Passwords can be hacked, encryption cracked, and, as mentioned earlier, users may be reluctant to report their phones as lost.
As a way to avoid this problem, Lund recommends moving to cloud-based apps.
“If the data is off the devices and secured in data centers, then IT need not focus on the device, but rather on user identities and authentication, which can be centrally controlled and managed,” Lund said.
When data is not stored on the device, the smartphone is simply a portal, and IT’s job just got a whole lot easier.