The paper says, if companies want to take advantage of the benefits of mobile devices, they need to build a governance framework, including a mobile smartphone security policy, to ensure proper use, rather than allowing the growth of mobile usage to go unchecked.
But one of the report's contributors, Peter Wood, partner and CEO of West Sussex penetration testing company First Base Technologies LLP, as well as a SearchSecurity.co.UK expert, conceded that smartphones especially pose a tough problem.
Many organisations have managed to enforce policies and security controls on company-owned laptops, he said, but smartphones now pose a whole new set of problems.
"While the BlackBerry allows good security, staff is now demanding iPhones and Android phones which we can't control in the same way at the moment. It is a nightmare for those people tasked with trying to manage it from a security perspective," Wood said. "We are at the beginning with this new generation of devices. People are storing data on these devices and there isn't any encryption. It's like taking a step backwards."
The ISACA paper sets out a checklist of factors for companies to consider, and proposes using a recognised governance framework, such as COBIT or Risk IT, to provide a structured, risk-based approach to tackling the problem. It says: "Mobile devices have the potential to become the biggest threat for leakage of confidential information. Their protection, very much neglected until now, will become a primary task for enterprises."
Recognising that there are few security products currently available for smartphones, the paper emphasises that companies need to build strong enforceable policies that enable them to gain the benefits of mobile usage while minimising risks. For instance, if data cannot be encrypted on the mobile endpoint, then data access should be restricted.
"There is no easy solution available yet. With a laptop you can put on an encryption package and manage it centrally. You can also do that on a BlackBerry, but how do you do that on an iPhone or iPad?" Wood asked. "How do you mitigate the problems of roaming Wi-Fi connections? You can lock it down on a laptop and put in some good controls, but how to do that on an iPhone or iPad? That's the challenge."
Many organisations are already wrestling with the smartphone problem, especially when users want to use their own devices for work. Marcus Alldrick, senior IT manager for Lloyd's of London, the insurance market, said that pressure is mounting to allow users to use their own phones for work. "Our policy is to lock down corporate smartphones," he said, "But people now want to use their own devices both for personal and business purposes. We have global users, so we'd need an approach that deals with multiple operating systems, so that we can connect securely into our networks."
Until data can be protected and connections secured on a range of smartphones, however, he said the current policy will remain in place.