Whether you like it or not, handheld PDAs and smartphones are invading the enterprise. Affordable and powerful, these devices are purchased by employees and adopted into the organization faster than any other computing platform -- connecting to your computer systems, downloading company information, and causing serious security implications.
An employee with access to networked resources has a number of ways to move corporate data to a handheld device. They can use a wired or wireless connection to synchronize the device with a networked computer, transfer a file using an external storage card, or simply instant message the file to the device. No longer glorified address books, these devices have become repositories for valuable and sensitive proprietary enterprise data.
Portable and prone to being lost or stolen, handheld devices are popular targets for data theft. What happens when an unprotected device, armed with sensitive data, gets in the wrong hands? What are the damages to the company if a competitor has access to customer data, product plans or merger and acquisition activity? And, even more concerning, what if a motivated hacker uses the device to penetrate the enterprise network by masquerading as an authorized user -- gaining access to critical applications and data.
This is not a small problem. Industry analyst firm, IDC predicts that by 2005, over 229 million devices will be used by mobile professionals in Global 2000 organizations. And, the amount of data residing on handheld devices is growing rapidly. Industry analyst firm, Gartner, predicts that more than 60% of staff in Global 2,000 companies will have mobile access to corporate applications by 2005. They further predict that 40% of corporate data will reside on handheld devices by 2005.
Faced with internal compliance policies, as well as Federal regulations, such as Gramm-Leach Bliley, Sarbanes-Oxley, HIPAA, and California SB1386, an organization can no longer ignore the security risks caused by mobile devices. Without an effective security strategy for protecting mobile data, devices and the enterprise network, an organization is exposing itself to steep penalties, lawsuits, and a PR nightmare.
Anyone charged with protecting the enterprise knows that controlling the use of employee-owned devices is a daunting task. A powerful tool, handheld devices enable employees to access information anytime, anywhere -- making them more productive. According to a study by NOP World -- Technology for Cisco, the average device user can increase personal productivity 22% (70 minutes/day). The study further shows that 87% of users believe mobility improves quality of life due to increased flexibility, productivity and time savings. With that said, prohibiting the use of devices in the workplace would be a very unpopular decision with employees. And, realistically, the directive would, more than likely, be ignored.
Your only option is to take control. But, how do you assess the risk to the organization when you don't even know who is connecting to enterprise resources? For what types of information? With what types of devices? How often?
Don't run for cover yet. You CAN solve this problem. By simply implementing policy, process and technology, you CAN gain control over device use and mitigate risk to the organization.
Develop a written policy
You may be asking yourself, "What right, legally, does the organization have in dictating how employee-owned devices can be used in the workplace?" Many organizations already have a written security policy in place for protecting the company's electronic assets on networked systems. If an employee is authorized to access certain types of corporate data from a networked system, then he/she should be able to access that data from a mobile device, right? Wrong! The employee should only be able to gain access to that data if the device is adequately protected. The organization has the right to deny access if the employee is not willing to follow the guidelines set and documented in the mobile security policy.
Communicate to employees
Enforce with tools
Security tools should mimic and support the organization's security policy. For example, the policy might require enhanced security functions such as mandatory PIN/password, for controlling access to the device and storage cards, fail-safe actions that perform a data wipe after a certain number of failed password attempts, user authentication for controlling access to networked resources, and encryption for stored data to make sure confidential information is not readable to prying eyes. In addition, the software should be able to disable and prevent the use of any device functions, such as cameras, that are prohibited from being used in the workplace.
The security software should be able to detect each time a device attempts to connect to any computer on the enterprise network and authenticate the user. Before any data is accessed, the software should be able to verify that the security agent is installed and that his/her security settings are up to date.
Likewise, the software should also have the intelligence to detect a device being connected to the enterprise for the first time and to automatically notify the user that only devices adequately protected with security software can access corporate data. The user should be given a choice whether they want to accept or decline permission to adhere to the company's security policy. If the user declines, of course, he/she is denied access to any corporate information. If the user accepts, the software should invoke processes to register the device and then automatically provision client software, encryption keys and policy settings.
By implementing policy, processes and the right technology, you can start gaining control over device use today – before it takes control of you.