The smartphone – and tablet – revolution offers organisations new ways of performing their work and realising tangible benefits. They offer new paths to gain business and competitive advantage by creating new customer services and experiences, and they enhance operational access and flexibility. But these devices present one main problem: how to secure devices which were not necessarily designed and built with business use in mind.
The ISF has found that these devices (both smartphones and tablets) are likely to force information security functions to rethink their entire approach to deploying controls and solutions. Overall, within large organisations, we have found a parallel to the steps taken to secure laptops, but with a severely compressed timescale of a few months or even weeks.
We have identified four elements of consumer device security:
- Applications and data.
Within these four elements, there are a host of issues, ranging from misuse of the device and its functionality, through exploitation of software vulnerabilities by third parties, to the deployment of poorly tested (and therefore unreliable) business applications.
But all is not lost. There are tools available – such as mobile device management systems – as well as a plethora of good working practices which can be shored up by an acceptable use policy. Solutions should be applied in a complete and consistent manner. For example, encrypting everything on the device, separating personal from business use, and placing constraints on which apps can run on the devices.
For all organisations, irrespective of size, the choice of provider can be significant, as the contract can provide for minimum standards of service reliability, device replacement and information security, such as encryption and back-up.
Adrian Davis is principal research analyst at the Information Security Forum (ISF).