Mobile security isn't easy. It isn't particularly fun, either.
But with mobility taking an increasingly strong hold in the
enterprise, it's becoming more and more necessary. According to
IDC, the global mobile workforce is poised to grow more than 20% in
the next four years, meaning there will be roughly 878 million
mobile workers by 2009.
For some reason, though, many companies aren't taking security
warnings seriously, according to Jack Gold, principal and founder
of J. Gold Associates, a Northborough, Mass.-based research,
advisory and analyst firm.
 |
| 10 steps to mobile security | Here are 10 steps to mobile security -- broken down into
specific areas -- as outlined by Jack Gold of J.Gold
Associates:  End users: - Set policies, document and get user buy-in
- Enforce policies on mobile devices for all users
- Review and update policies regularly, as things often
change
Devices: - Make sure password protection is set to "ON"
- Include updated personal anti-virus and firewall on
devices
- Encrypt sensitive files on devices
- Enable device lockdown and kill
Infrastructure: - Determine what file types can be downloaded/synced by which
users
- Log device usage for compliance where appropriate
- Enforce connection security/VPN
standards
|
|
| |
|
"It's not a high priority now on a lot of people's lists," Gold
said. "There are so many other things going on in their day."
The casual attitude to mobile security prompted Gold to
re-examine what companies need to do to ensure mobile security on
several levels. While Gold says his 10 steps and tips to mobile
security should be looked at as a starting point, they're a
starting point that should resonate now.
"One of the problems with portability and mobility is that the
data is mobile too," Gold said. "The technology has changed, but
the security hasn't been updated."
The first steps toward a secure mobile environment, Gold said,
are setting and documenting policy and getting end users up to
speed. Then, those policies must be enforced for all users.
"Without a policy, what do you enforce?" he asked, adding that
policies must also be reviewed and updated as the technology and
mobile environments change.
Daniel Taylor, managing director of the Mobile Enterprise
Alliance, agreed that setting policy is the first and most
necessary step to mobile security.
"Information security is all about policy, and policy is the
most important piece of mobile security," Taylor wrote in a recent
email. "Today, there are security technologies that can do just
about anything, but without an overarching policy in place, the
security implementation will be ad hoc."
For example, Taylor said, if a security policy restricts mobile
device access to known devices, but there is no policy for
anti-virus or a standardised drive image, users can download
software and install it on their devices, exposing an organisation
to various security risks. Essentially, in that scenario there is
an access policy in place, he said, but no security against viruses
and malware.
"Mobility policy is a Pandora's Box for many IT organisations,
and many IT managers are still in denial," Taylor said. "The
perspective today is that what they don't know won't hurt them, and
to some extent, that's true. Having a false sense of security is
far worse than having no security at all."
On the device level, mobile managers must ensure that password
protection is always set to "on," personal anti-virus and firewall
protection is updated, sensitive files are encrypted, and lockdown
and kill features are enabled. Since the biggest threat to mobile
data is still loss and theft, those should be a given.
Say Joey Mobile leaves his BlackBerry in a cab on the way to a
meeting. Someone gets in after him, picks up the device and starts
playing. Without password protection, information is easy to
access. If they are not encrypted, sensitive files -- corporate
data, email, sales figures, Coca-Cola's secret recipe, whatever --
can be easily found and read.
But with password protection, no one can get into the device
except for Joey Mobile. If the files are encrypted, even if someone
manages to get in, the files cannot be read. And, if there is a
lockdown or kill feature enabled, Joey Mobile can have IT shut down
the device and wipe it out before anyone can get their grubby mitts
on the information it holds.
Gold added that anti-virus should also be a no-brainer, since
pretty much every company today offers that to employees on a
PC.
"What company today would not buy anti-virus for a user [on a
PC]?" Gold asked. "That's a given. The same rules have to apply to
mobile devices."
Taylor echoed that, adding that "mobility policies should
provide a foundation for endpoint security that complements what an
IT organisation is already doing with laptops and personal
computers."
It's important, however, that many security features don't have
too big an impact on end users, Gold suggested.
"It's a combination of education and making it easy for an end
user," he said. "The best way to go about security is to make it
invisible to the end user."
Other important steps include determining which file types can be
downloaded and synced by users, enforcing connection through VPNs,
and logging device usage if compliance is an issue.
For the most part, Gold said, companies know that mobile
security is necessary, they just don't do it. Not enough companies
have been affected by mobile security breaches, he said,
contributing to a lax attitude toward mobile security.
"People just haven't felt the pain level," he said. "The
ultimate reason isn't laziness, it's that most people haven't been
bitten yet."
Gold predicted, however, that there will be a major mobile
security breach sometime within the next year that will focus more
attention on the issue and put an end to the "it hasn't gotten me
yet" philosophy.
Overall, adequate mobile security is not an expensive endeavor,
according to Gold. It does take some time and extra work, but he
estimated it would cost between $100 and $150 per user to follow
all 10 steps. In larger companies, the cost per user would be a bit
lower -- between $50 and $100.
"We're not talking a lot of money here," Gold said. "[Companies]
buy insurance for their workers, and this is insurance. You hope it
never happens, but if it does, you want to be protected."
This article originally appeared on
SearchMobileComputing.com.