The use of smartphones within the workplace brings many benefits to organisations, but also risks. Increasingly, users want to experience the functionality available to them in their private lives in their professional lives, and certainly businesses can benefit by maximising employee productivity while travelling. A happier user makes for a more productive user.
Confidentiality of data should be a key concern for executives. If used for corporate applications, smartphones can contain a wealth of data, including client contacts, supplier information, business plans and intellectual property. Your smartphone policy must ensure you have guidelines to ensure what happens when an employee leaves, or loses, or has a corporate smartphone stolen. There should also be a technical solution in place to provide a remote wipe and/or kill facility.
The blurring of private and corporate data on the same device represents a potential minefield. Data partitioning is often seen as a way of keeping these separate, but an acceptable usage policy is required, along with regular user training. Consider also legal compliance issues – what may be acceptable in one geography may not be in another regarding employee monitoring, particularly when it comes to personal usage. There may also be legal ramifications in backing up personal employee data.
Security Think Tank: Challenges and opportunities of smartphone security policy
The range of applications available on smartphone platforms today is truly staggering, with more than 500,000 available for the iOS platform and 400,000 for Android. Unlike server and desktop platforms, control of the update and patching of these applications may no longer be in your control, but in the hands of the device manufacturer, mobile operator and platform supplier. Your policy should also include a device certification programme, along with steps to secure the platform, including data encryption and secure authentication methods. How will you identify rogue smartphone devices on the network?
Given both the WikiLeaks and Stuxnet incidents, both of which started with rogue removable media introduced into the environment, your endpoint security solution should be able to identify and block rogue devices being connected. As smartphones contain both voice recording and camera capabilities, your policy should also include measures to deal with physical security and prevent industrial espionage by visitors to your premises.
Phil Stewart is director of communications at ISSA UK.
This was first published in February 2012