Managing mobile messaging used to be a fairly straightforward task for IT managers: employees whose role required them to access their e-mails on the road were issued a corporate device. The biggest issue back then was to keep the data in transit secure and the cost in check. There was the odd request to use a non-company standard device on the corporate mail system but these were quickly shot down by the security guys.
Fast forward to today and this situation has changed or is about to change in all but the most regulated organisations. One reason for this evolution is the success of consumer devices such as the iPhone and Android devices. Users - and we have to include C-level staff in this group - are becoming more tech-savvy and demand the flexibility and capabilities they are used to from their private gadget on their work device as well.
While this demand is usually met for "VIP" staff, the lower ranks tend to be brushed off, referring them to the company standards. This might have worked well in the past but a recent study by UniSys shows that a third of UK-based employees are now using their own devices at work with or without approval. Information security departments look at this result with worry, but some IT managers embrace the trend and try to use it to their advantage.
There is an opportunity for organisations to realise cost savings by allowing staff to leverage their privately owned (and paid for) device to access their business correspondence. This might not be an option for every company but IT/security departments would do well to spend some time investigating how this trend affects their security posture.
Written policies covering terms of usage are a good start (if your organisation does not have them in place already, stop reading now and start working on it) but they need to be reviewed and enforced as well.
While Research in Motion's Blackberry platform with its rich feature set is still most administrators' favourite, the contenders are closing in fast, with Apple's enterprise integration features being just one example. There is no question that RIM is leaps and bounds ahead from a management and security point of view, but a closer look might show that other solutions will work just as well for the majority of your users as long as the risks are understood and legal/regulatory requirements are met.
IT and security departments should take this shift as an opportunity to position themselves as a proactive and progressive part of the organisation. It is not every day that we get a chance to cut cost and make our users happy at the same time.
Daniel Schatz, CISSP is principal security analyst with Thomson Reuters
Security Zone is a regular series in Computer Weekly covering all aspects of IT security management. Each article is written by a member of the International Information Systems Security Certification Consortium (ISC)².