Download the authoritative guide: Cloud Computing 2018: Using the Cloud to Transform Your BusinessJim Linn, IT director at the American Gas Association in Washington, D.C., knows the benefits of smartphones that offer voice and data functionality.
But he also knows the risks.
Like many of his colleagues, Linn is worried about the liability of data loss or corruption if users send and receive corporate emails over their cell phones and handhelds. ''I know there's a need for mobile devices and I want to meet that need. But my feeling is that I'm ultimately responsible for the data going back and forth over anything,'' says Linn, who oversees the network for the energy trade association, which serves 195 local utility companies.
To that end, Linn has told employees they only can use company-managed BlackBerry devices to access their corporate email. The approach has been successful as 60 of his 80 users have Research in Motion BlackBerrys that they use regularly. ''It's one of the most amazing productivity boosters,'' he says.
But not managing them opens IT teams up to tremendous risks.
Linn says he chose the BlackBerry phone and PDA combination devices because he could control and secure them at every level using the accompanying enterprise server platform. With the server and device linked so tightly, Linn says he is confident that data, including customer information stored in contacts databases, is not comprised.
''When you have wireless devices of any kind, you open yourself up to security risks. At least I know with the BlackBerry that I can control that risk,'' he says.
In fact, if one of the devices is lost, Linn immediately, and remotely, can lock down that device and erase it so others can't access the information stored on it. He also can make sure the device software is updated regularly and that messages are encrypted.
Taking no Chances
But Tom Gonzales, senior network administrator at Colorado State Employees Credit Union in Denver, Colo., is not convinced.
He is opposed to the use of smartphones and handhelds for any corporate information. In fact, Gonzales only uses his Blackberry to receive pages that tell him to log on to his company mail through the VPN. ''I don't believe you should send anything more than what you'd write on a postcard across [smartphones],'' he says.
Gonzales adds ''all data has to be protected and respected.''
As an IT pro for a financial institution, he says he is working under regulations such as the Gramm-Leach-Bliley Act. ''If you lose your [smartphone], you could give away your recently called list, which might have confidential customer information,'' he says.
Instead, Gonzales has each of the 230 employees at the credit union sign a mobile electronics policy agreement that states the strict rules regarding company data, including a rule that mandates that no credit union member data can be sent over an unencrypted voice or data line.
''We let them know the high numbers of cell phones and PDAs that are stolen or lost in taxis and elsewhere,'' he says.
Gonzales says it's important to explain to users in a clear policy why the restrictions are in place. ''Otherwise, there's no recourse to take action if phones and PDAs are being misused,'' he says.
Randy Giusto, group vice president for clients and mobility at the IDC research firm in Framingham, Mass., agrees that setting policy is key to protecting company assets. Traditionally, companies have worried more about PC risks, he says. ''It's a good practice for the IT organization to create policies as small mobile devices do pose threats,'' he says.
Because ''the corporation owns the customer names and addresses in those devices,'' they have to be protected like parts of the network, he adds.
Brian Schwartz, a technology specialist at CDW Corp., a provider of technology services and products in Vernon Hills, Ill., says the policies that IT creates should include tips for users.
''If they lose their phone or data device and it contains sensitive data, they need to alert their IT administrator right away,'' he says.
Schwartz adds that IT should use every security option available in their tool box.
For instance, ''To make sure that important information is saved on smartphones, they should use the setting that allows e-mail to be deleted on the phone, but retained in the corporate server where it can easily be archived and restored if the phone is damaged or lost,'' Scwhartz says. This also helps with compliance mandates, he adds.
Overall, Giusto is seeing companies turn away from supporting mobile devices as the support and maintenance is too time-consuming. ''Who's going to integrate a Treo or some other device into the back-end [enterprise mail] servers? Users can't do that on their own,'' he says.
He adds that IT organizations have to be savvy about the devices being used in the network. ''Not only do they have to lock each device down and know what data is on them, but they have to be able to identify them and update them. That's a huge cost in time and personnel,'' he says.
''IT managers do need to make sure that devices have the latest software,'' says CDW's Schwartz. ''It is very similar to patching PCs or updating anti-virus definitions.''
Linn is all too aware of all of these burdens on IT.
''I wouldn't want to be in an environment where people can bring in whatever they want. We have enough responsibility in managing what we have,'' he says. ''That's why I recommend picking one device or family of devices and sticking to them.''