Mobile phones: Issued, authorized, or personal?

Mobile phones: Issued, authorized, or personal?

Today's topic concerns one of the most important questions facing enterprise IT and telecom managers today, to wit -- who owns, or, perhaps better, should own, the mobile phone? The answer to this question has far-reaching implications for any business or organization, with impacts on capital and operational costs, network management, information and network security, and many other factors. If mobility is indeed, as I believe, the future of IT, then getting this part of the solution right is one of the keys to success.

    Requires Free Membership to View

    Login

    SearchMobileComputing.com members gain immediate and unlimited access to expert guides for mobile deployment, management and security, industry trends, and more-- all at no cost. Join me on SearchMobileComputing.com today!

    Kate Gerwig, Editorial Director

    By submitting your registration information to SearchMobileComputing.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchMobileComputing.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

It's no big deal to keep the phone number of your car dealer on a personal handset, but the phone number and e-mail address of the CEO could be a problem if  not appropriately protected.
,

With only a few exceptions, most enterprises that I've spoken with generally have a policy of letting an employee use their personal mobile phone for business, with many reimbursing the employee for at least a portion of the airtime charges. This is, of course, the simplest solution for the enterprise, as no capital investment is required and no ongoing management expense involved. And this approach can work very well indeed, with just one little problem.

And that is, as handsets have become significantly more intelligent and powerful over the years, with essentially all handsets sold today qualifying as "smartphones," that unmanaged personal phone can be both a security-hole backdoor into the enterprise network, as well as a repository of (again, unmanaged and unsecured) sensitive corporate data. It's no big deal to keep the phone number of one's car dealer on a personal handset, but the phone number and e-mail address of the CEO could be a problem if these are not appropriately protected. Remote access is similarly a big concern.

I am quite paranoid when it comes to security, and I run just a small business. But any business, of any size needs to make sure that access to its corporate network, and the resources on that network, are available only to authorized users and perhaps only to authorized devices. Similarly, any data obtained from that network that is classified as sensitive or confidential also needs to be protected and made available only to authorized users. An unsecured personal handset is thus a potential disaster if it's lost or stolen -- and many of them are and enterprise IT management, in most cases, would never know.

The solution to this problem begins with a policy regarding the use of personal mobile devices in the corporate environment, which isn't all that different from a general information confidentiality policy or a policy regarding the use of a personal car on company business. Appropriate controls – at a minimum, a password or pin code to access the device – are essential. Users should be required to sign an agreement with respect to keeping corporate information on personal devices, and the handsets themselves should be registered with IT for tracking purposes.

But I don't think these precautions will ultimately be sufficient. In fact, I'm going to predict that a mobile phone or other wireless handset will eventually be owned, monitored, managed, and otherwise controlled by the enterprise, along with a general prohibition on keeping enterprise information on any non-enterprise device. This is the only way to make sure that confidential information stays that way, but note that a strong policy regarding the use of any enterprise-issued IT electronics is required in any context. Remote device management is going to be an explosive growth opportunity for management software vendors moving forward.

And I also think that two-factor authentication will become much more important for mobile devices as well, perhaps using biometrics (like fingerprint scanners) or a hardware security key, which might itself be wireless. Regardless, the days of using a personal mobile phone to casually store company information are coming to an end – and, from where I'm standing, none too soon.

About the author: Craig Mathias is a principal with Farpoint Group, an advisory firm based in Ashland, Mass., specializing in wireless networking and mobile computing. The firm works with manufacturers, enterprises, carriers, government, and the financial community on all aspects of wireless and mobile. He can be reached at craig@farpointgroup.com.


This was first published in October 2007

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

Back to top