The vast majority of enterprises are now involved in the mobile revolution. Users on notebooks, smartphones and (soon) other form factors are taking to the road in great numbers. Indeed, we expect more than 50% of enterprise-deployed PC devices for knowledge workers to be mobile (notebooks) within two to three years, and more than 85% of these enterprise users will have some form of smartphone device within the same time frame. Is your company one of these? Highly likely. And does your company have a mobile security strategy in place to take into account the mobile-specific security risks? Probably not. In fact, we estimate that less than 25% of enterprises have an up-to-date mobile security plan aimed at the latest mobile users with their increasingly diverse computing needs, and taking into account the inclusion of the many new mobile technologies available (e.g., flash drives and portable storage devices, including iPods). Is your company part of this mobile insecurity group?
Companies should take immediate concrete steps to ensure that the valuable data that users interact with is not lost or stolen when beyond the bounds of the corporate campus. Losing a device is inconvenient, but losing $1 million worth (or more) of company data is the real penalty companies pay in lost or stolen devices. First steps to prevention include building a viable mobile security policy that incorporates best practices for handling mobile users' data needs and device selection, as well as connectivity options (e.g., VPN) and, importantly, on-device security (e.g., firewalling, Anti Virus, data file encryption and tracking). This last piece is the one that companies forget most often.
A mobile security policy must also set concrete guidelines for users, and these guidelines must be clearly communicated to the end users (something few companies do well). One of the highest risk factors mobile users present to a company is not knowing the proper way to protect company sensitive data (e.g., not moving sensitive data to easily lost, unprotected flash drives or syncing with unsecured PDAs). Make sure they know what is expected, and the vast majority of users will help secure the information. User knowledge and training is the No. 1 defense against mobile data insecurity.
Next, deploy mobile management and security suites available from a number of vendors (e.g., Credant, PointSec, Sybase Afaria). Companies should also deploy firewalling/AV suites (e.g., Symantec, McAfee, iPass, Fibrelink, Columbitech, F-Secure, NetMotion) to each device, especially the newer breed of smartphone devices, many of which have the power and storage capability of a PC of only three or four years ago. Most companies overlook protecting these devices, leaving them with a major exposure. Finally, review and modify the security policy as necessary, taking into account the newest devices deployed and the latest revision of business needs, to help users stay productive. Staying flexible and up to date is key to maintaining a high level of security and compliance, especially in those industries where government regulations are in place (e.g., healthcare, financial institutions, and government).
Mobile security is a moving target, as new devices, and the threats they pose, appear regularly. Yet with a little planning and foresight, companies can proactively prevent many of the security compromises so often seen today. Do the right thing by security, and save your company a potentially damaging security breach while maintaining the end user's mobility and productivity. It's your choice.
About the author: Jack E. Gold is a recognized expert in mobile computing and is founder and principal analyst at technology research firm J. Gold Associates. He can be contacted at jack.gold@jgoldassociates.com.
