Mobile security starts with policy

Mobile security can no longer be an afterthought. Mobile experts say security starts, but doesn't end, with policy

Mobile security isn't easy. It isn't particularly fun, either.

But with mobility taking an increasingly strong hold in the enterprise, it's becoming more and more necessary. According to IDC, the global mobile workforce is poised to grow more than 20% in the next four years, meaning there will be roughly 878 million mobile workers by 2009.

For some reason, though, many companies aren't taking security warnings seriously, according to Jack Gold, principal and founder of J. Gold Associates, a research, advisory and analyst firm.

"It's not a high priority now on a lot of people's lists," Gold said. "There are so many other things going on in their day."

The casual attitude to mobile security prompted Gold to re-examine what companies need to do to ensure mobile security on several levels. While Gold says his 10 steps and tips to mobile security should be looked at as a starting point, they're a starting point that should resonate now.

"One of the problems with portability and mobility is that the data is mobile too," Gold said. "The technology has changed, but the security hasn't been updated."

The first steps toward a secure mobile environment, Gold said, are setting and documenting policy and getting end users up to speed. Then, those policies must be enforced for all users.

10 steps to mobile security

Here are 10 steps to mobile security -- broken down into specific areas -- as outlined by Jack Gold of J.Gold Associates:  

End users:

  • Set policies, document and get user buy-in
  • Enforce policies on mobile devices for all users
  • Review and update policies regularly, as things often change


  • Make sure password protection is set to "ON"
  • Include updated personal anti-virus and firewall on devices
  • Encrypt sensitive files on devices
  • Enable device lockdown and kill


  • Determine what file types can be downloaded/synced by which users
  • Log device usage for compliance where appropriate
  • Enforce connection security/VPN standards
"Without a policy, what do you enforce?" he asked, adding that policies must also be reviewed and updated as the technology and mobile environments change.

Daniel Taylor, managing director of the Mobile Enterprise Alliance, agreed that setting policy is the first and most necessary step to mobile security.

"Information security is all about policy, and policy is the most important piece of mobile security," Taylor wrote in a recent email. "Today, there are security technologies that can do just about anything, but without an overarching policy in place, the security implementation will be ad hoc."

For example, Taylor said, if a security policy restricts mobile device access to known devices, but there is no policy for anti-virus or a standardised drive image, users can download software and install it on their devices, exposing an organisation to various security risks. Essentially, in that scenario there is an access policy in place, he said, but no security against viruses and malware.

"Mobility policy is a Pandora's Box for many IT organisations, and many IT managers are still in denial," Taylor said. "The perspective today is that what they don't know won't hurt them, and to some extent, that's true. Having a false sense of security is far worse than having no security at all."

On the device level, mobile managers must ensure that password protection is always set to "on," personal anti-virus and firewall protection is updated, sensitive files are encrypted, and lockdown and kill features are enabled. Since the biggest threat to mobile data is still loss and theft, those should be a given.

Say Joey Mobile leaves his BlackBerry in a cab on the way to a meeting. Someone gets in after him, picks up the device and starts playing. Without password protection, information is easy to access. If they are not encrypted, sensitive files -- corporate data, email, sales figures, Coca-Cola's secret recipe, whatever -- can be easily found and read.

But with password protection, no one can get into the device except for Joey Mobile. If the files are encrypted, even if someone manages to get in, the files cannot be read. And, if there is a lockdown or kill feature enabled, Joey Mobile can have IT shut down the device and wipe it out before anyone can get their grubby mitts on the information it holds.

Gold added that anti-virus should also be a no-brainer, since pretty much every company today offers that to employees on a PC.

"What company today would not buy anti-virus for a user [on a PC]?" Gold asked. "That's a given. The same rules have to apply to mobile devices."

Taylor echoed that, adding that "mobility policies should provide a foundation for endpoint security that complements what an IT organisation is already doing with laptops and personal computers."

It's important, however, that many security features don't have too big an impact on end users, Gold suggested.

"It's a combination of education and making it easy for an end user," he said. "The best way to go about security is to make it invisible to the end user."

Other important steps include determining which file types can be downloaded and synced by users, enforcing connection through VPNs, and logging device usage if compliance is an issue.

For more on mobility

Check out some recent trends in mobility

How big a threat are mobile viruses anyway?

Read our special report on mobile platforms

For the most part, Gold said, companies know that mobile security is necessary, they just don't do it. Not enough companies have been affected by mobile security breaches, he said, contributing to a lax attitude toward mobile security.

"People just haven't felt the pain level," he said. "The ultimate reason isn't laziness, it's that most people haven't been bitten yet."

Gold predicted, however, that there will be a major mobile security breach sometime within the next year that will focus more attention on the issue and put an end to the "it hasn't gotten me yet" philosophy.

Overall, adequate mobile security is not an expensive endeavor, according to Gold. It does take some time and extra work, but he estimated it would cost between $100 and $150 per user to follow all 10 steps. In larger companies, the cost per user would be a bit lower -- between $50 and $100.

"We're not talking a lot of money here," Gold said. "[Companies] buy insurance for their workers, and this is insurance. You hope it never happens, but if it does, you want to be protected."

Read more on IT risk management