Experts: Good policy can mitigate mobile security risks

By Edward Hurley, News Writer 16 Apr 2003 | SearchMobileComputing.com

Digg This!     StumbleUpon     Del.icio.us

Such policies allow companies to make sure mobile devices are used in a safe and appropriate manner. For example, a policy could require that all data on such devices be encrypted, or that only secure wireless access points be used. It could also limit which devices can be operated. Policy can be enforced either with technology, such as tools that ensure that strong passwords are used, or through employee conduct, an approach that requires user education.

Before a policy is written, IT managers need to understand that mobile devices, such as wireless PDAs, should be treated differently than laptops, said Kevin Burden, program manager for smart handheld devices at Framingham, Mass.-based International Data Corp. Mobile workers can -- and often do -- use PDAs on the go. Laptops, by contrast, are still used primarily at the office or at home.

Since mobile devices can be used anywhere, they are subject to different threats than desktops or even notebooks. Handhelds can be easily lost or stolen, and some devices break more easily than others, while leaving data intact. As such, the data on them needs to be encrypted.

Handhelds can come with 400 MHz processors and a lot of memory, so they pack a lot of computing power. They can be used for many purposes that are usually reserved for standard PCs. But this power can also be used for protection.

"Why do they have 400 MHz processors? So they can do 128-bit Blowfish encryption," Burden said.

As high-end handhelds tend to be marketed for use by professionals, the extra storage and processing power they possess make it convenient for enterprises to use them for data that's more critical than phone numbers or other contact information. Users are tempted to download financials and other sensitive information to their devices so they can have that information close at hand.

So, from a security prospective, mobile devices can be a risky proposition. Some companies get around these issues by only allowing limited access to corporate systems, said Tim Scannell, president and principal analyst for Quincy, Mass.-based Shoreline Research Inc. "Thus, these mobile devices do not always provide the necessary access to real and extensive corporate information (stuff that lurks safely on the other side of a firewall)," he said, meaning that a company may limit its security exposure by hobbling users' ability to access critical yet sensitive data.

Burden said that, despite the risks, companies shouldn't use security as an excuse for not using mobile devices. The National Security Agency, the CIA and the FBI all use such devices, and few organizations place greater emphasis on security.

After the decision to implement mobile technology is made and it comes time to craft a mobile computing policy, a company may be tempted to create an umbrella policy for all devices, from wireless PDAs to laptops. Over time, however, it will discover the need to drill down and craft policies that address the specific mobile uses, Burden said.

For example, a PDA that is synced in the morning, then used to collect data during the day, probably poses more security risk than one that uses wireless connections to transfer data. The former may contain more sensitive data, while the latter may have very little, since the device is used to access company resources remotely, Burden said.

Also, the amount of time employees spend using mobile devices is a consideration. Employees who use them during more than 20% of the workday may have different needs than people who use them less than that.

There are a couple of ways companies can go about creating mobile device policies. One is by creating a distinct mobile computing policy. Another way is to include such devices under existing policy. There are also in-between approaches, in which mobile devices fall both under old and new policies. For example, wireless access may fall under a separate policy already in place.

St. Petersburg, Fla.-based brokerage firm Raymond James Financial Inc. has adopted this hybrid approach. It wrote a new policy to address the specific needs of mobile devices, such as what to do if they are lost or stolen, but general usage issues fall under the IT department's existing policies.

As part of that approach, the company's "acceptable use" policy for other technologies is extended to mobile devices.

"There should not be a separate [acceptable use policy] for wireless, LAN, WAN, etc. ... That is a problem waiting to happen," said Gene Fredriksen, vice president of information security, noting that a properly written network policy can cover all connections to company data, including mobile and wireless.

On the other hand, Raymond James Financial has provisions in place to handle emergency situations, such as if a mobile device is stolen. Immediately, the appropriate law enforcement agency is notified and passwords are changed. User accounts are "closely monitored for unusual activity for a period of time" to ensure they aren't being accessed by the wrong people, Fredriksen said during a recent e-mail interview.

It's never too early to start planning for mobile device usage, even if a company knows it can't afford the technology right away, Burden said.

"When the economy improves, your competitors will be executing their plans. If you don't have a plan, you'll find yourself severely behind the curve," he said.

FOR MORE INFORMATION:

Read more of our Special advisory: An introduction to enterprise mobile computing

Browse our Topics on security

Read why wireless handhelds need defense-in-depth

Tags: Mobile Device Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Mobile Device Security Establishing secure mobile communication Managing mobile authentication methods Smartphone insecurity: There's a smartphone app for that Fingerprint recognition and mobile security Traditional security threats coming soon to mobile device near you Securing your Windows Mobile devices Mobile security: Protecting your data, not just your devices Prevent mobile malware: Learn how to protect your enterprise and devices Podcast: The truth about network security and mobile device access Protecting data on your BlackBerry Mobile Device Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary mobile VPN  (SearchMobileComputing.com) real-time location system (RTLS)  (SearchMobileComputing.com) screaming cell phone  (SearchMobileComputing.com) SMiShing  (SearchMobileComputing.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary