Mobile computing opens up a host of new possibilities for companies, but it also poses a unique set of risks. According to experts, the best way to mitigate those risks is through careful attention to mobile security policy.
Such policies allow companies to make sure mobile devices are used in a safe and appropriate manner. For example, a policy could require that all data on such devices be encrypted, or that only secure wireless access points be used. It could also limit which devices can be operated. Policy can be enforced either with technology, such as tools that ensure that strong passwords are used, or through employee conduct, an approach that requires user education.
Before a policy is written, IT managers need to understand that mobile devices, such as wireless PDAs, should be treated differently than laptops, said Kevin Burden, program manager for smart handheld devices at Framingham, Mass.-based International Data Corp. Mobile workers can -- and often do -- use PDAs on the go. Laptops, by contrast, are still used primarily at the office or at home.
Since mobile devices can be used anywhere, they are subject to different threats than desktops or even notebooks. Handhelds can be easily lost or stolen, and some devices break more easily than others, while leaving data intact. As such, the data on them needs to be encrypted.
Handhelds can come with 400 MHz processors and a lot of memory, so they pack a lot of computing power. They can be used for many purposes that are usually reserved for standard PCs. But this power can also be used for protection.
"Why do they have 400 MHz processors? So they can do 128-bit Blowfish encryption," Burden said.
As high-end handhelds tend to be marketed for use by professionals, the extra storage and processing power they possess make it convenient for enterprises to use them for data that's more critical than phone numbers or other contact information. Users are tempted to download financials and other sensitive information to their devices so they can have that information close at hand.
So, from a security prospective, mobile devices can be a risky proposition. Some companies get around these issues by only allowing limited access to corporate systems, said Tim Scannell, president and principal analyst for Quincy, Mass.-based Shoreline Research Inc. "Thus, these mobile devices do not always provide the necessary access to real and extensive corporate information (stuff that lurks safely on the other side of a firewall)," he said, meaning that a company may limit its security exposure by hobbling users' ability to access critical yet sensitive data.
Burden said that, despite the risks, companies shouldn't use security as an excuse for not using mobile devices. The National Security Agency, the CIA and the FBI all use such devices, and few organizations place greater emphasis on security.
After the decision to implement mobile technology is made and it comes time to craft a mobile computing policy, a company may be tempted to create an umbrella policy for all devices, from wireless PDAs to laptops. Over time, however, it will discover the need to drill down and craft policies that address the specific mobile uses, Burden said.
For example, a PDA that is synced in the morning, then used to collect data during the day, probably poses more security risk than one that uses wireless connections to transfer data. The former may contain more sensitive data, while the latter may have very little, since the device is used to access company resources remotely, Burden said.
Also, the amount of time employees spend using mobile devices is a consideration. Employees who use them during more than 20% of the workday may have different needs than people who use them less than that.
There are a couple of ways companies can go about creating mobile device policies. One is by creating a distinct mobile computing policy. Another way is to include such devices under existing policy. There are also in-between approaches, in which mobile devices fall both under old and new policies. For example, wireless access may fall under a separate policy already in place.
St. Petersburg, Fla.-based brokerage firm Raymond James Financial Inc. has adopted this hybrid approach. It wrote a new policy to address the specific needs of mobile devices, such as what to do if they are lost or stolen, but general usage issues fall under the IT department's existing policies.
As part of that approach, the company's "acceptable use" policy for other technologies is extended to mobile devices.
"There should not be a separate [acceptable use policy] for wireless, LAN, WAN, etc. ... That is a problem waiting to happen," said Gene Fredriksen, vice president of information security, noting that a properly written network policy can cover all connections to company data, including mobile and wireless.
On the other hand, Raymond James Financial has provisions in place to handle emergency situations, such as if a mobile device is stolen. Immediately, the appropriate law enforcement agency is notified and passwords are changed. User accounts are "closely monitored for unusual activity for a period of time" to ensure they aren't being accessed by the wrong people, Fredriksen said during a recent e-mail interview.
It's never too early to start planning for mobile device usage, even if a company knows it can't afford the technology right away, Burden said.
"When the economy improves, your competitors will be executing their plans. If you don't have a plan, you'll find yourself severely behind the curve," he said.
FOR MORE INFORMATION:
Read more of our Special advisory: An introduction to enterprise mobile computing
Browse our Topics on security
Read why Wireless handhelds need defense-in-depth