How to formulate an effective smartphone security policy

The mobile revolution offers new ways of working, but what are the challenges and how can they be overcome?

The mobile revolution offers new ways of working, increasing efficiency, productivity and responsiveness of employees. Mobility offers new ways of gaining business and competitive advantage by creating new services, improving current offerings and enhancing operational access and flexibility.

These are benefits few businesses will fail to grasp, but with all this improvement comes increased security risk. Businesses cannot afford to ignore the risk and must formulate appropriate smartphone policies to manage it effectively.

At the very least, most if not all businesses are having to come to grips with employees using smartphones, which provide a quick and easy way for employees to access corporate e-mail and other resources while out of the office and on the move.

In the fourth quarter of 2011, over 115 million smartphone devices were sold, many to employees likely to take them to work, demand to read work e-mail on them and connect them to business networks.

Against this backdrop, few information security professionals would disagree that companies should have a clear set of policies, requirements and standards that cover smartphones used to conduct business. But what are the challenges to be met in formulating a security policy for smartphones and how can these be met?

What the experts think

  • Adrian Davis, principal research analyst at the Information Security Forum (ISF), says: "Smartphones and tablets are likely to force information security functions to rethink their entire approach to deploying controls and solutions.
  • John Pescatore, vice-president and distinguished analyst at Gartner, says: "The major security issue with smartphone use by employees is the fact that the phones are typically owned by the employee and used for both work and personal reasons."
  • Lannon Rowan, an (ISC)2 member and security consultant at a mobile network operator, says: "There are security challenges throughout the whole smartphone lifecycle, from device creation and marketing, through purchase, implementation and operation, to the eventual recycling or destruction of the device."
  • Phil Stewart, director of communications at ISSA UK, says: "Unlike server and desktop platforms, control of the update and patching of these applications may no longer be in your control, but in the hands of the device manufacturer, mobile operator and platform supplier."
  • Peter Wenham, committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management, says: "Tools are available to encrypt data stored on a smartphone but to use a smartphone typically only requires a 4 or 6 digit PIN code to unlock (if a PIN is set at all!) which is not, in my opinion, good enough to protect a company's (or a person’s) data"
  • Sarb Sembhi, chair of ISACA’s government relations committee, says: "The key issue (as always) being that of the data. And in particular, how the ownership of the data on the device is agreed, or at least dealt with."
  • Vladimir Jirasek, director of alliances, Cloud Security Alliance UK & Ireland, says: "The policy should foremost define what types of the data can or cannot be processed on smartphone operating systems."
  • Jovi Umawing, a communications and research analyst at GFI Software, says: "Once the policy has been created, management needs to enforce it and ensure all employees are aware of what is covered."

Coming up with a smartphone policy that works best for your business is the first challenge, says Jovi Umawing, communications and research analyst at GFI Software.

The kind of devices allowed on the network should be dictated by a smartphones policy, and this policy must be rigorously policed, he believes. If security measures such as password protection, data encryption, remote lock and management capabilities such as remotely wiping company data from a mobile device are in place, the device being used and the operating system it is running become unimportant, he says.

At the very least, basic security and malware protection should be present on every device. If they are not compliant with the policy, they are not allowed on the network, says Umawing.

The risks of consumer technology

Another challenge is figuring out how to secure devices that were not necessarily designed and built with business use in mind, according Adrian Davis, principal research analyst at the Information Security Forum (ISF).

The ISF has found that these devices, smartphones and tablet computers are likely to force information security functions to re-think their entire approach to deploying controls and solutions.

“Overall, within large organisations, we have found a parallel to the steps taken to secure laptops, but with a severely compressed timescale of a few months or even weeks,” says Davis.

The main rising challenge for many businesses with smartphones is data, particularly how the ownership of the data on the device is agreed, says Sarb Sembhi, chair of ISACA’s government and regulatory advocacy committee.

“I have seen policies range from one extreme to the other. However there are three main approaches to deal with the device ownership and the data on it,” he says.

Smartphone provisioning

These policies are first, corporate ownership and provisioning, where the employer purchases and retains ownership of the device, and may or may not allow any personal use depending on existing usage policies;  second, shared management, where employees accessing business data from their devices give their employers the right to manage, lock down or even wipe clean the devices; and third, legal transfer, in which the employer purchases the device from the employee. This may involve a nominal price and allow the employee to use the device for personal communications, and maybe even allow them to buy the devices back when they leave the organisation.

All three are very simple for large corporations that have the resources to identify what attempts are being made to access the corporate network. But the same cannot be said for SMEs, says Sembhi.

Many SMEs may not know the extent to which employees access the corporate network using unauthorised devices, he says. But some implicitly accept employees using their own devices, because it is cheaper than providing them. But this lack of knowledge will possibly hold back many SMEs from taking appropriate action at the right time.

“The problem is that there is no one solution that fits all. Although the technologies out there are enabling some creative approaches – including the use of cloud storage for all corporate data, or the use of SD cards to store all private data – they are not yet easy to use for SMEs,” says Sembhi.

Over the next year, Sembhi believes several solution providers will recognise the severity of the challenge. He said many different innovative options for all devices and platforms will emerge, as the mobile and cloud solutions market has been moving far faster than the PC sector ever did.

In the meantime, the challenge facing SME and corporations alike is to make sure smartphone policies keep up with rapidly evolving devices and software.

Restricting business data on smartphones

In addition to frequent reviews, one way businesses can do this is to define what types of data can or cannot be processed on smartphone operating systems, says Vladimir Jirasek, director of alliances, CSA UK & Ireland.

Read more about smartphone security

“For example, the policy may state that PCI DSS data and application cannot be stored and accessed from smartphones,” he says.

The next level of detail should distinguish between personal and business-owned devices; whether these are managed or unmanaged; and address the compliance with configuration standards.

Finally, the policy should define the delivery model of the applications and data, based on application types, employee role, location and the type of the smartphone. 

“This is not an easy task and requires a pragmatic approach, which includes threat assessment at the very least,” says Jirasek.

The policy also needs to clearly articulate what happens when the device is lost or required for a forensic investigation, he says, although forensic investigations on privately owned smartphone might be unlawful in some countries, regardless of what the policy says.

Unlike server and desktop platforms, controlling updates and patching smartphone applications may be beyond users or business IT administrators, in the hands of the device manufacturer, mobile operator and platform supplier, says Phil Stewart, director of communications, ISSA UK.

“The smartphone policy should also include a device certification programme, along with steps to secure the platform, including data encryption and secure authentication methods,” he says.

Although a smartphone security policy is essential, it must be complemented with the right mobile device management systems and good working practices, to ensure the policy is enforced.

Security controls, however, should be applied in a complete and consistent manner, says the ISF's Adrian Davis. “For example, encrypting everything on the device; separating personal from business use; and placing constraints on which apps can run on the devices.”

Finally, for all organisations, regardless of size, he says the choice of provider can be significant, as the contract can provide for minimum standards of service reliability, device replacement and information security, such as encryption and backup. 

Video: Security threats for smartphone users

Read more on Smartphone technology