Mobile security policies: Why a policy is important

Mobile security policies: Why a policy is important

Craig Mathias, Contributing writer

Security, unfortunately, is one area where IT professionals are never "done." I work on plans for network installations and upgrades all the time, and we eventually wind up with a list of required equipment, a cutover/migration plan, an operational plan and similar documents covering user training, help desk and other support, and on and on. And, of course, a security plan is always part of the process. But whereas almost all of the installed elements can at some point be declared to be operational and finished for a particular cycle (subject to occasional updates, bug fixes and revisions), security is so critical a component that, in all but the smallest organizations, it requires near-continuous attention. Come to think of it, even small companies should have a good security plan and set of procedures in place, with regular reviews, even if nothing seems to be amiss. As I said,

    Requires Free Membership to View

    Login

    SearchMobileComputing.com members gain immediate and unlimited access to expert guides for mobile deployment, management and security, industry trends, and more-- all at no cost. Join me on SearchMobileComputing.com today!

    Kate Gerwig, Editorial Director

    By submitting your registration information to SearchMobileComputing.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchMobileComputing.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

this is the one area where you are never done.

I occasionally give talks on information security, and I love to ask the audience how many of them have never been hit by a security breach or other security-related problem. They almost all raise their hands, and then I lower the boom -- how do they know?

Knowing security has been compromised is one thing; not knowing what to do about this situation is perhaps even worse.
,
The fact is that information and network security are usually compromised without anyone knowing, at least right away, that anything has occurred, and -- compounding the problem -- there is often no process or set of procedures in place to deal with the problem once it is identified. Knowing security has been compromised is one thing; not knowing what to do about this situation is perhaps even worse. And when sensitive information is in mobile devices that could literally be anywhere -- including lost -- the value of up-front planning becomes very clear indeed.

Everyone will agree that information and network security are important, but the biggest push-backs I get when talking about security relate to two factors: cost and convenience. It is possible to spend vast sums on security, and this is often justified – as with government and military networks -- but the commercial world has two specific security threats, and one of them is usually minor: the casual hacker. These folks have way too much time on their hands, and this is manifested in the need to cause mischief or obtain bragging rights among the like-minded, or simply in a pathological need for Internet access. But though the casual hacker seldom causes a major meltdown -- and indeed, helps to keep a focus on the need for security in the first place -- the other threat, the professional information thief, is and must always be a major concern.

Driven by profit, these nefarious individuals have detailed technical knowledge of networks and understand and often develop the techniques for cracking nets with a high degree of effectiveness and stealth. Information is often long-gone before their tracks -- if any -- are discovered. But let's be fair: What are the chances of getting hit by one of these guys? Should those vast sums be spent simply in anticipation of an attack that may never come? And with that expense comes the second push-back -- inconvenience. There is little doubt that security measures can and often do affect productivity and create additional support costs. Security solutions that are hard to use are often counterproductive -- users just write down difficult-to-remember passwords or otherwise leave mobile devices unlocked. All that expense can indeed be wasted in such situations.

But, based on the theory that if you don't know where you're going, any road will take you there, it is best -- despite the obvious urgency and criticality involved (to say nothing of increasingly strict regulatory requirements) -- to take a deep breath and start with a plan to tackle your particular security challenge. And this plan begins not with a purchase but with a document -- the development of an enterprise security policy. We'll cover the contents of a security policy next time.

About the author: Craig Mathias is a principal with Farpoint Group, an advisory firm, based in Ashland, Mass., specializing in wireless networking and mobile computing. The firm works with manufacturers, enterprises, carriers, government, and the financial community on all aspects of wireless and mobile. He can be reached at craig@farpointgroup.com.

This was first published in April 2008

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

Back to top