According to a recent global survey by The Aberdeen Group entitled “Enterprise Mobility Strategies 2010: More Mobility, Same Budget,” nearly two-thirds (73 percent) of corporations now allow some or all employees to use personal-liable mobile devices for work. Fueled by organizational mobility cuts and employee demand to choose a smartphone based on individual needs, this trend is expected to increase. The Aberdeen Group report notes that eight percent of the 200 organizations surveyed plan to allow all employees to use personal devices in the next 12 months.
As we've seen with many of the mobile predictions for 2010, smartphones are projected to face many of the security attacks that target computers. In 2009, we saw examples of mobile malware with the first iPhone worm. With the proliferation of employee-liable devices, it's safe to assume that instances of mobile malware will only increase in the coming year.
These contributing factors – the increasing diversity of mobile platforms in the enterprise, the infiltration of employee-liable devices into the workplace and the rapid growth of mobile applications – all put corporate networks at risk. IT departments are under intense pressure to support the business benefits of enterprise mobility, while ensuring the security of enterprise data and infrastructure. In order to gain visibility and control over their smartphone deployments, the following are some best practices for IT on mitigating security risks caused by this surge in smartphones.
Require users to proactively seek permission to connect via Exchange ActiveSync (EAS.
Many employees opt to bypass enterprise IT departments and bring their own device to work. Microsoft Exchange ships with EAS enabled by default for all users, and as a result, employees can enable their personal devices to retrieve corporate mail without asking the IT department for authorization or approval. In order to secure a device, the IT department must have visibility into which devices are connecting to the network. Therefore, it's important to set a policy that requires users to contact the IT department for permission to enable ActiveSync on their personal iPhone, Palm or Android device.
You can't secure what you can't see – gain visibility into which devices are connecting into the network.
A “particularly worrisome trend” cited in the Aberdeen Group report found that the vast majority of organizations meeting the demand for individual-liable devices had little to no visibility into device usage and telecom costs. Without full visibility into the devices running on a network, IT is subject to greater security risk from employee liable phones. Once an administrator has authorized and enabled EAS for a user to connect into the network with an iPhone, for example, they do not need permission to add additional devices to the network. Without daily or weekly reports, IT has no visibility when a user switches their smartphone for another type of device.
Like everything else on the network, smartphones must also have security policies.
Companies should set up a default EAS security policy so that all phones connecting into the network have a minimum level of security enabled. In many instances, this will force users to set up a security password or enable other security policies before they can access their email for the first time.
Smartphones are an extension of corporate data – give users the ability to wipe their own device in case their device gets lost.
According to Accenture, 10 to 15 percent of all handheld computers, PDAs, mobile phones, and pagers are lost by their owners. More often than not, users will delay reporting their device as lost or stolen, either in the hopes that they can retrieve the device, or because they are embarrassed for losing it. Every second of delay could mean the loss of sensitive corporate data. Providing users with an ability to wipe their own devices will significantly reduce the risk of both personal and corporate data loss.
All play and no work? Track applications installed on the device.
The line continues to blur between the personal and corporate use of smartphones. Organizations that allow users to install personal or corporate applications on their device should audit for rogue third-party applications, and control which corporate applications mobile devices can access. More and more users are unintentionally downloading memory hogging or malware embedded applications. By understanding which applications are installed and running, enterprises IT can avoid potential security and compliance risks.
Aberdeen's report concludes that organizations need to understand that enterprise mobility is no longer simply a personal decision that can be individually determined by each employee in the company. The report reinforces that coherent enterprise mobility deployments require compliance to meet business needs. This does not mean that employees must standardize on one device or that mobility policies should lock down every non-standard behavior. By setting and enforcing policies for the use of personal devices in the workplace, IT can gain the visibility and control necessary for securing a rapidly evolving mobile ecosystem.