Whether you like it or not, handheld PDAs and smartphones are invading the enterprise. Affordable and powerful, these devices are purchased by employees and adopted into the organization faster than any other computing platform -- connecting to your computer systems, downloading company information, and causing serious security implications.
An employee with access to networked resources has a number of ways to move corporate data to a handheld device. They can use a wired or wireless connection to synchronize the device with a networked computer, transfer a file using an external storage card, or simply instant message the file to the device. No longer glorified address books, these devices have become repositories for valuable and sensitive proprietary enterprise data.
Portable and prone to being lost or stolen, handheld devices are popular targets for data theft. What happens when an unprotected device, armed with sensitive data, gets in the wrong hands? What are the damages to the company if a competitor has access to customer data, product plans or merger and acquisition activity? And, even more concerning, what if a motivated hacker uses the device to penetrate the enterprise network by masquerading as an authorized user -- gaining access to critical applications and data.
This is not a small problem. Industry analyst firm, IDC predicts that by 2005, over 229 million devices will be used by mobile professionals in Global 2000 organizations. And, the amount of data residing on handheld devices is growing rapidly. Industry analyst firm, Gartner, predicts that more than 60% of staff in Global 2,000 companies will have mobile access to corporate applications by 2005. They further predict that 40% of corporate data will reside on handheld devices by 2005.
Faced with internal compliance policies, as well as Federal regulations, such as Gramm-Leach Bliley, Sarbanes-Oxley, HIPAA, and California SB1386, an organization can no longer ignore the security risks caused by mobile devices. Without an effective security strategy for protecting mobile data, devices and the enterprise network, an organization is exposing itself to steep penalties, lawsuits, and a PR nightmare.
Anyone charged with protecting the enterprise knows that controlling the use of employee-owned devices is a daunting task. A powerful tool, handheld devices enable employees to access information anytime, anywhere -- making them more productive. According to a study by NOP World -- Technology for Cisco, the average device user can increase personal productivity 22% (70 minutes/day). The study further shows that 87% of users believe mobility improves quality of life due to increased flexibility, productivity and time savings. With that said, prohibiting the use of devices in the workplace would be a very unpopular decision with employees. And, realistically, the directive would, more than likely, be ignored.
Your only option is to take control. But, how do you assess the risk to the organization when you don't even know who is connecting to enterprise resources? For what types of information? With what types of devices? How often?
Don't run for cover yet. You CAN solve this problem. By simply implementing policy, process and technology, you CAN gain control over device use and mitigate risk to the organization.
Develop a written policy
First, create a written security policy that dictates how handheld devices, whether company-issued or employee-owned, can be used in the workplace. The policy should clearly state which devices, platforms, applications, and networks the company will support going forward, as well as how, and to what degree, these devices will interact with a company's data and systems. In addition, the policy should identify the type of information considered confidential by the organization, and describe how that data should be protected. Prohibiting the use of device functions, such as Bluetooth radio and cameras, should also be noted, if applicable.
You may be asking yourself, "What right, legally, does the organization have in dictating how employee-owned devices can be used in the workplace?" Many organizations already have a written security policy in place for protecting the company's electronic assets on networked systems. If an employee is authorized to access certain types of corporate data from a networked system, then he/she should be able to access that data from a mobile device, right? Wrong! The employee should only be able to gain access to that data if the device is adequately protected. The organization has the right to deny access if the employee is not willing to follow the guidelines set and documented in the mobile security policy.
Communicate to employees
Employees should be made aware of the vulnerabilities of mobile devices and the implications to the company if they fall in the wrong hands. Training should include awareness of the physical security of the device, the mobile device security policy, a review of the types of information that can be stored on the device, and the procedure to follow if a device is lost or stolen.
Enforce with tools
Communication alone will not solve the problem. To effectively enforce compliance, it is critical that an organization implement security software to manage the detection and security of each device that attempts to make a connection to a networked system. Why? Because, a policy without technology to monitor and enforce compliance is like having speed limits with no traffic cops. As one Fortune 35 executive once said, "We established a written policy for mobile device use in the workplace, but we had no capability to enforce it. What a joke!"
Security tools should mimic and support the organization's security policy. For example, the policy might require enhanced security functions such as mandatory PIN/password, for controlling access to the device and storage cards, fail-safe actions that perform a data wipe after a certain number of failed password attempts, user authentication for controlling access to networked resources, and encryption for stored data to make sure confidential information is not readable to prying eyes. In addition, the software should be able to disable and prevent the use of any device functions, such as cameras, that are prohibited from being used in the workplace.
The security software should be able to detect each time a device attempts to connect to any computer on the enterprise network and authenticate the user. Before any data is accessed, the software should be able to verify that the security agent is installed and that his/her security settings are up to date.
Likewise, the software should also have the intelligence to detect a device being connected to the enterprise for the first time and to automatically notify the user that only devices adequately protected with security software can access corporate data. The user should be given a choice whether they want to accept or decline permission to adhere to the company's security policy. If the user declines, of course, he/she is denied access to any corporate information. If the user accepts, the software should invoke processes to register the device and then automatically provision client software, encryption keys and policy settings.
Used to improve personal productivity, handheld devices, whether company-issued or employee-owned, are finding their way into the workplace faster than you can imagine. These devices are used to connect to enterprise systems and download corporate data – causing serious security implications that expose an organization to regulatory fines, negative PR from public disclosures, and legal liability.
By implementing policy, processes and the right technology, you can start gaining control over device use today – before it takes control of you.
Ian Gordon is vice president of marketing for CREDANT Technologies, the market leader in security software for the mobile enterprise. You can reach Ian at firstname.lastname@example.org.
This was first published in September 2004