Smartphone security beyond office walls
Many of these issues have been addressed for desktops and laptops – there is probably not one business without at least anti-virus software, if not a full firewall – however the trend toward “going mobile” in the workplace is creating a new level of security and management challenges for corporations.
Q: IT organizations have been dealing with security issues for a wide range of hardware and software. What are the unique security issues with smartphones?
MB: Smartphones are both more mobile and more personal than corporate PCs or even laptops. The trend for working with smartphones has been growing steadily over the past few years, with increased importance placed on flexible working practices and more road warriors. Today the most common applications used by mobile employees include company email, Internet, company intranet and calendar management; these are considered “core” applications in many companies. New capabilities, ranging from sales force applications to custom corporate applications, are making smart devices even more attractive for corporations.
In addition, it is no longer just executives carrying smart devices any more either; smartphone use is driving into the ranks of middle management and staff workers. Employees at all levels of the organization are purchasing and using their own smart devices to access company systems and data, adding to the complexity of managing and securing them.
While it is fairly straightforward for IT departments to manage and secure business applications that reside on company-issued laptops or PCs, doing this on mobile devices – some of which may not be owned by the company – presents a far greater challenge. Mobile devices and applications need “over the air” management so that they can be provisioned, configured, updated, secured, managed and controlled without being wired into the company network. They run on many different operating systems and may be connecting through a wide range of access technologies. They can carry a great deal of sensitive and confidential information. And they are becoming more complex and sophisticated, with more memory and new capabilities and applications in every release.
However, while most companies recognize the importance of central IT security and are implementing core strategies, it is surprising how many IT managers stop short and only manage security within the four “physical” walls of a company building.
Q: There are methods for smartphones to be scanned and monitored when they physically connect to a corporate network, but what happens when a device with corporate data leaves the office?
MB: Smartphones may be virus scanned when physically connected on the premises (if they have an antivirus client installed and properly configured); they may come under the rigors of the firewall while physically connected to the corporate network, but, for the most part, they are not under any sort of company control when they are outside the office.
If a phone is lost, mobile operators are usually able to disable the phone number and block expensive calls from being made. However, a “smart” phone differs significantly from an “ordinary” mobile phone. It contains a significant amount of memory – for example, a memory card can hold over 1 gigabyte of data, which a thief can still access even if voice calling has been barred. They can contain a wide range of applications and data files, both company-issued and personal. There is nothing to prevent smartphone users from installing data and applications onto their devices that could cause problems for the company – from letting loose viruses to not playing well with corporate systems or adhering to corporate policies.
Q: How can IT recognize the dangers and consequences of not managing, or improperly managing, smartphones?
MB: Smartphones are incredibly important productivity tools for busy executives on the move, and this is only going to increase as their use becomes more pervasive at all levels of the enterprise. Employees can carry all kinds of information on these devices, from confidential announcements, to financial results, company files and sensitive emails about business in progress. Losing any of these can result not only in lost business if something sensitive is leaked into the public domain, but can also result in a loss of trust between the company and its valued customers.
As smartphones become increasingly critical business tools, being unable to use them due to technical problems while on the road can be a serious problem for the mobile worker. Problems occur while employees are far from the office. Companies can't make them bring the device back to the office to debug the problem and fix it. Nor can they stop employees from being human. Accidents will happen, devices will be lost and the data on them will be at risk. And there is no absolute defense against a determined thief.
Q: What can be done to ensure the security of smartphones and corporate data outside the office walls?
MB: Recognition of the management and security issues is the first step in making sure mobile assets and information are managed and protected. Like the laptops of remote workers, smartphones need to be catered to as a part of the network and subject to corporate management and security measures. It is essential that companies have a corporate IT management policy in place that takes these smart mobile devices into account.
Enabling a full mobile device management (MDM) solution will ensure that employees' smartphones are managed in a manner that is consistent with other IT assets. Necessary updates – including settings for mobile security clients such as antivirus and encryption – can be distributed over the air to everyone who needs them, regardless of where they are in the world, ensuring that everything works exactly as it should. Problems can be detected and fixed remotely, without requiring anyone to come back to the office.
With a complete MDM solution in place, lost or stolen devices not only can be disabled in an emergency situation, but the data can be locked to prevent unauthorized access, or even wiped completely from the phone memory. Policies can be implemented to bar or remove unauthorized applications and files on employee devices when they are detected. Important information can also be backed up on a secure server; ensuring data is retrievable, protected and secure.
Effective management of a company's mobile devices will mean faster mobilization of enterprise applications, which, in turn, will lead to increased employee productivity at all levels of the enterprise. Recognition of the dangers associated with lost or stolen mobile devices is a good first step in ensuring data is protected and cannot be used to compromise the business. The next step is to make sure policies and systems are place to manage and protect this data when it's on the move.
Matt Bancroft can be reached at firstname.lastname@example.org