Jim Linn, IT director at the American Gas Association in Washington,
D.C., knows the benefits of smartphones that offer voice and data
functionality.
But he also knows the risks.
Like many of his colleagues, Linn is worried about the liability of data
loss or corruption if users send and receive corporate emails over their
cell phones and handhelds. ”I know there’s a need for mobile devices and
I want to meet that need. But my feeling is that I’m ultimately
responsible for the data going back and forth over anything,” says Linn,
who oversees the network for the energy trade association, which serves
195 local utility companies.
To that end, Linn has told employees they only can use company-managed
BlackBerry devices to access their corporate email. The approach has been
successful as 60 of his 80 users have Research in Motion BlackBerrys that
they use regularly. ”It’s one of the most amazing productivity
boosters,” he says.
In fact, Linn says that the devices offer more than just voice and
e-mail, they also give users remote and synchronized access to their
contacts and other important data. The management of smartphones is just
one more headache for already overloaded IT staffs.
But not managing them opens IT teams up to tremendous risks.
Linn says he chose the BlackBerry phone and PDA combination devices
because he could control and secure them at every level using the
accompanying enterprise server platform. With the server and device
linked so tightly, Linn says he is confident that data, including
customer information stored in contacts databases, is not comprised.
”When you have wireless devices of any kind, you open yourself up to
security risks. At least I know with the BlackBerry that I can control
that risk,” he says.
In fact, if one of the devices is lost, Linn immediately, and remotely,
can lock down that device and erase it so others can’t access the
information stored on it. He also can make sure the device software is
updated regularly and that messages are encrypted.
Taking no Chances
But Tom Gonzales, senior network administrator at Colorado State
Employees Credit Union in Denver, Colo., is not convinced.
He is opposed to the use of smartphones and handhelds for any corporate
information. In fact, Gonzales only uses his Blackberry to receive pages
that tell him to log on to his company mail through the VPN. ”I don’t
believe you should send anything more than what you’d write on a postcard
across [smartphones],” he says.
Gonzales adds ”all data has to be protected and respected.”
As an IT pro for a financial institution, he says he is working under
regulations such as the Gramm-Leach-Bliley Act. ”If you lose your
[smartphone], you could give away your recently called list, which might
have confidential customer information,” he says.
Instead, Gonzales has each of the 230 employees at the credit union sign
a mobile electronics policy agreement that states the strict rules
regarding company data, including a rule that mandates that no credit
union member data can be sent over an unencrypted voice or data line.
”We let them know the high numbers of cell phones and PDAs that are
stolen or lost in taxis and elsewhere,” he says.
Gonzales says it’s important to explain to users in a clear policy why
the restrictions are in place. ”Otherwise, there’s no recourse to take
action if phones and PDAs are being misused,” he says.
Randy Giusto, group vice president for clients and mobility at the IDC
research firm in Framingham, Mass., agrees that setting policy is key to
protecting company assets. Traditionally, companies have worried more
about PC risks, he says. ”It’s a good practice for the IT organization
to create policies as small mobile devices do pose threats,” he says.
Because ”the corporation owns the customer names and addresses in those
devices,” they have to be protected like parts of the network, he adds.
Brian Schwartz, a technology specialist at CDW Corp., a provider of
technology services and products in Vernon Hills, Ill., says the policies
that IT creates should include tips for users.
”If they lose their phone or data device and it contains sensitive data,
they need to alert their IT administrator right away,” he says.
Schwartz adds that IT should use every security option available in their
tool box.
For instance, ”To make sure that important information is saved on
smartphones, they should use the setting that allows e-mail to be deleted
on the phone, but retained in the corporate server where it can easily be
archived and restored if the phone is damaged or lost,” Scwhartz says.
This also helps with compliance mandates, he adds.
Overall, Giusto is seeing companies turn away from supporting mobile
devices as the support and maintenance is too time-consuming. ”Who’s
going to integrate a Treo or some other device into the back-end
[enterprise mail] servers? Users can’t do that on their own,” he says.
He adds that IT organizations have to be savvy about the devices being
used in the network. ”Not only do they have to lock each device down and
know what data is on them, but they have to be able to identify them and
update them. That’s a huge cost in time and personnel,” he says.
”IT managers do need to make sure that devices have the latest
software,” says CDW’s Schwartz. ”It is very similar to patching PCs or
updating anti-virus definitions.”
Linn is all too aware of all of these burdens on IT.
”I wouldn’t want to be in an environment where people can bring in
whatever they want. We have enough responsibility in managing what we
have,” he says. ”That’s why I recommend picking one device or family of
devices and sticking to them.”