Securing mobile access: Coping with personal devices in the enterprise

With or without permission, your users are bringing their personal devices to work. It’s time to learn ways to secure mobile access to your network.

If you think it’s difficult to secure remote access for users working from their home PCs, wait until you take on the flood of privately owned smartphones and tablets on enterprise networks. The good news is that there are a series of measures network managers can take in securing mobile access.

Gone are the days when users were willing to carry both a company-issued phone and a personal device. Instead, they’re seeking one device for both. In fact, a study conducted last year shows that three quarters of mobile phones used for business are actually personal devices with only about 25% provided by companies, said Andy Buss, service director at market research company Freeform Dynamics.

And while only about 20% of personal devices are smart phones, uptake is growing. That means more people will be armed with devices that can hold in-depth business address books and other important data. This also means more people can lose this information.

To give an idea of the scale of the problem, a survey organised by data security developer Credant Technologies discovered that on average Londoners leave around 10,000 mobile phones a month in the back of taxis. Lost phones are especially troubling when you consider where they might be from. In the two years leading up to June, 2010, 30 mobile devices belonging to the Welsh Assembly were lost or stolen, while Westminster’s government departments reported mobile device losses including 131 Blackberries or iPhones and 104 other mobile devices.

Steps to securing mobile devices in the enterprise

The first step may be as simple as training users -- and IT staff members -- to use passwords. A recent Juniper Networks survey showed that while security is a key concern for most smartphone or tablet PC buyers, less than half bother to password-protect their mobile devices. In fact, 21% of those surveyed had never changed their device factory settings, and only 23% frequently updated their mobile device security settings. Even worse, Juniper's survey also found that only 1% of corporate IT departments maintain the security settings on employee personal devices.

“It’s a matter of education, because if you don’t tell people how to do it safely, they will do it unsafely,” said Buss.

The next step is to institute monitoring systems that will gauge mobile activity. Then IT can have a conversation with enterprise management about the overall business need related to mobile devices. With that combined information, user policy can be set.

These policies could be linked with functions that include automated device lock-down and remote wipe, mandatory encryption, enterprise management, event reporting and application control, anti-virus deployment, and GPS location for missing devices.

“It’s a massive challenge for the desktop and system management vendors,” Buss added. “Part of the problem is the speed of development: mobile phones develop really quickly, but enterprise tools take 12 to 18 months to test and release, by which time you have probably had two new iPhones and three or four new BlackBerries released. [The system management vendors] may need a philosophy change and a more streamlined approach, with much more frequent releases.”

He concluded: “A company may have to have an approved [smartphone] list to cut the complexity, and then work on ways to make that centralised and consolidated. Even then, you’re never going to be able to stop people from using what they want, so then it is managing the risk.”

--Bryan Betts is a UK-based freelance journalist specialising in business and technology. Read about him at

Read more on Mobile networks