Today's topic concerns one of the most important questions facing enterprise IT and telecom managers today, to wit -- who owns, or, perhaps better, should own, the mobile phone? The answer to this question has far-reaching implications for any business or organization, with impacts on capital and operational costs, network management, information and network security, and many other factors. If mobility is indeed, as I believe, the future of IT, then getting this part of the solution right is one of the keys to success.
With only a few exceptions, most enterprises that I've spoken with generally have a policy of letting an employee use their personal mobile phone for business, with many reimbursing the employee for at least a portion of the airtime charges. This is, of course, the simplest solution for the enterprise, as no capital investment is required and no ongoing management expense involved. And this approach can work very well indeed, with just one little problem.
And that is, as handsets have become significantly more intelligent and powerful over the years, with essentially all handsets sold today qualifying as "smartphones," that unmanaged personal phone can be both a security-hole backdoor into the enterprise network, as well as a repository of (again, unmanaged and unsecured) sensitive corporate data. It's no big deal to keep the phone number of one's car dealer on a personal handset, but the phone number and e-mail address of the CEO could be a problem if these are not appropriately protected. Remote access is similarly a big concern.
I am quite paranoid when it comes to security, and I run just a small business. But any business, of any size needs to make sure that access to its corporate network, and the resources on that network, are available only to authorized users and perhaps only to authorized devices. Similarly, any data obtained from that network that is classified as sensitive or confidential also needs to be protected and made available only to authorized users. An unsecured personal handset is thus a potential disaster if it's lost or stolen -- and many of them are and enterprise IT management, in most cases, would never know.
The solution to this problem begins with a policy regarding the use of personal mobile devices in the corporate environment, which isn't all that different from a general information confidentiality policy or a policy regarding the use of a personal car on company business. Appropriate controls – at a minimum, a password or pin code to access the device – are essential. Users should be required to sign an agreement with respect to keeping corporate information on personal devices, and the handsets themselves should be registered with IT for tracking purposes.
But I don't think these precautions will ultimately be sufficient. In fact, I'm going to predict that a mobile phone or other wireless handset will eventually be owned, monitored, managed, and otherwise controlled by the enterprise, along with a general prohibition on keeping enterprise information on any non-enterprise device. This is the only way to make sure that confidential information stays that way, but note that a strong policy regarding the use of any enterprise-issued IT electronics is required in any context. Remote device management is going to be an explosive growth opportunity for management software vendors moving forward.
And I also think that two-factor authentication will become much more important for mobile devices as well, perhaps using biometrics (like fingerprint scanners) or a hardware security key, which might itself be wireless. Regardless, the days of using a personal mobile phone to casually store company information are coming to an end – and, from where I'm standing, none too soon.