More employees are using their mobile devices for work. While organizations can lock down organization-owned mobile devices with policies and established technologies such as BlackBerry Enterprise Server, personally owned mobile devices require a new framework and policy structure.
Organizations must shift their security thinking, develop new policies and implement technologies that maintain enterprise security without degrading the experience that users value in these devices.
Personal mobile devices are easy to lose and for thieves to steal - along with all the sensitive enterprise data on them. Threats of mobile malware and malicious mobile applications are real.
It may be prudent to work with a technology partner to understand mobile application security risks and consider mobile device management technologies. Organizations should perform a risk/benefit analysis. Three key issues should be considered:
- Are risks posed by mobile devices tolerable?
- What applications, data and resources will be accessible from mobile devices?
- Are additional technologies required to secure these devices to meet security goals and policies?
The challenge is determining what kind of security policies you can reasonably enforce on a personal device without appearing heavy-handed or violating personal privacy laws.
When employees bring in personal devices, they may not conform to the company's security standards. When that happens, the IT department is left with two choices. They can either demand that the employees' devices conform to those standards, or they take the risk of having nonconforming devices in the environment.
Organizations that want to allow employees to use their personal devices in the workplace must have a mobile policy. The first step is creating and executing organization rules for personally owned mobile devices.
Device-based security technologies such as password-based entry, remote lock/wipe, and built-in encryption may satisfy security requirements for some organizations. But for more-regulated industries or companies that handle sensitive data, a higher level of security assurance is needed.
Mobile technology vendors with good security platforms include: AirWatch, Citrix Systems, Good Technology, McAfee, MobileIron, and Sybase.
Here are some simple suggested rules to start a mobile policy:
- Employees must use password-based entry and locking features.
- IT reserves the right to manage any mobile device with access to corporate data, including those that are personally owned.
- The organization reserves the right to monitor the activity of personal mobile devices when they are in the company network.
- The organization has the right to restrict access to confidential data if necessary.
- Employees should follow Internet acceptable use policies while in the corporate environment.
- The company isn’t responsible for damage to personal content due to corporate management functions imposed on the device.
- The organization can disable any mobile device access to corporate resources at any time deemed necessary.
- Users must inform IT if the device is lost or stolen.
- If the device is stolen or the employee leaves the company, the IT department should be able to wipe company data from it remotely.