Several years ago, Gartner predicted that consumerisation would be one of the major trends impacting enterprise IT and IT security programmes.
Smartphones are the poster child for this trend – in the fourth quarter of 2011, more than 115 million smartphone devices were sold, many to people who then brought them to work and demanded the ability read work e-mail on them and connect them to business networks.
In many ways, smartphones can be more secure operating platforms than PCs, but there is one major issue that needs to be dealt with first.
Smartphone security issue
The major security issue with smartphone use by employees is the fact that the phones are typically owned by the employee and used for both work and personal reasons. While most businesses have evolved acceptable-use policies for personal use of work PCs, the business owns the PC and the employee’s personal use is secondary.
Security Think Tank: Challenges and opportunities of smartphone security policy
With smartphones, the reverse is true – the employee owns the device and the work use is secondary. This means that new policy language is required that specifically calls out the responsibilities of the user if he or she is to be allowed to access corporate information with a personal smartphone. The employee must be made aware of how information must be protected and that in the case of an incident the company reserves the right to delete all information on the device.
Defining such policy is not that difficult, but different countries have different legal precedents, and in some countries labour agreements may also come into play. Legal counsel should always be involved in reviewing any new security policy.
Policy by itself is useless. There must be controls for monitoring and enforcing policy to protect business interests. Two key elements to successfully smartphone security polices are:
- Network access control – the ability to detect when an unmanaged device is in use and who is using it.
- Mobile device management – the ability to enforce a security policy on smartphones to balance risk with the business benefits of allowing smartphone use.
John Pescatore is vice-president and distinguished analyst at Gartner
Read more on IT governance
How to sharpen a corporate mobile device strategy
Security Think Tank: Educate, enforce policy and monitor to ensure messaging security
Security Think Tank: Ensure incident response in the face of inevitable messaging leaks
Security Think Tank: Use technical controls and policy to secure messaging apps