Mobile security starts with policy

By Andrew R. Hickey, News Writer 17 Aug 2006 | SearchMobileComputing.com

Digg This!     StumbleUpon     Del.icio.us

But with mobility taking an increasingly strong hold in the enterprise, it's becoming more and more necessary. According to IDC, the global mobile workforce is poised to grow more than 20% in the next four years, meaning there will be roughly 878 million mobile workers by 2009.

For some reason, though, many companies aren't taking security warnings seriously, according to Jack Gold, principal and founder of J. Gold Associates, a Northborough, Mass.-based research, advisory and analyst firm.

"It's not a high priority now on a lot of people's lists," Gold said. "There are so many other things going on in their day."

The casual attitude to mobile security prompted Gold to re-examine what companies need to do to ensure mobile security on several levels. While Gold says his 10 steps and tips to mobile security should be looked at as a starting point, they're a starting point that should resonate now.

"One of the problems with portability and mobility is that the data is mobile too," Gold said. "The technology has changed, but the security hasn't been updated."

The first steps toward a secure mobile environment, Gold said, are setting and documenting policy and getting end users up to speed. Then, those policies must be enforced for all users.

"Without a policy, what do you enforce?" he asked, adding that policies must also be reviewed and updated as the technology and mobile environments change.

Daniel Taylor, managing director of the Mobile Enterprise Alliance, agreed that setting policy is the first and most necessary step to mobile security.

"Information security is all about policy, and policy is the most important piece of mobile security," Taylor wrote in a recent email. "Today, there are security technologies that can do just about anything, but without an overarching policy in place, the security implementation will be ad hoc."

For example, Taylor said, if a security policy restricts mobile device access to known devices, but there is no policy for anti-virus or a standardized drive image, users can download software and install it on their devices, exposing an organization to various security risks. Essentially, in that scenario there is an access policy in place, he said, but no security against viruses and malware.

"Mobility policy is a Pandora's Box for many IT organizations, and many IT managers are still in denial," Taylor said. "The perspective today is that what they don't know won't hurt them, and to some extent, that's true. Having a false sense of security is far worse than having no security at all."

On the device level, mobile managers must ensure that password protection is always set to "on," personal anti-virus and firewall protection is updated, sensitive files are encrypted, and lockdown and kill features are enabled. Since the biggest threat to mobile data is still loss and theft, those should be a given.

Say Joey Mobile leaves his BlackBerry in a cab on the way to a meeting. Someone gets in after him, picks up the device and starts playing. Without password protection, information is easy to access. If they are not encrypted, sensitive files -- corporate data, email, sales figures, Coca-Cola's secret recipe, whatever -- can be easily found and read.

But with password protection, no one can get into the device except for Joey Mobile. If the files are encrypted, even if someone manages to get in, the files cannot be read. And, if there is a lockdown or kill feature enabled, Joey Mobile can have IT shut down the device and wipe it out before anyone can get their grubby mitts on the information it holds.

Gold added that anti-virus should also be a no-brainer, since pretty much every company today offers that to employees on a PC.

"What company today would not buy anti-virus for a user [on a PC]?" Gold asked. "That's a given. The same rules have to apply to mobile devices."

Taylor echoed that, adding that "mobility policies should provide a foundation for endpoint security that complements what an IT organization is already doing with laptops and personal computers."

It's important, however, that many security features don't have too big an impact on end users, Gold suggested.

"It's a combination of education and making it easy for an end user," he said. "The best way to go about security is to make it invisible to the end user."

Other important steps include determining which file types can be downloaded and synced by users, enforcing connection through VPNs, and logging device usage if compliance is an issue.

For the most part, Gold said, companies know that mobile security is necessary, they just don't do it. Not enough companies have been affected by mobile security breaches, he said, contributing to a lax attitude toward mobile security.

"People just haven't felt the pain level," he said. "The ultimate reason isn't laziness, it's that most people haven't been bitten yet."

Gold predicted, however, that there will be a major mobile security breach sometime within the next year that will focus more attention on the issue and put an end to the "it hasn't gotten me yet" philosophy.

Overall, adequate mobile security is not an expensive endeavor, according to Gold. It does take some time and extra work, but he estimated it would cost between $100 and $150 per user to follow all 10 steps. In larger companies, the cost per user would be a bit lower -- between $50 and $100.

"We're not talking a lot of money here," Gold said. "[Companies] buy insurance for their workers, and this is insurance. You hope it never happens, but if it does, you want to be protected."

This article originally appeared on SearchMobileComputing.com.

Tags: Industry,  Mobile Devices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Industry Lotus makes mobile partnerships and Notes Traveler top priorities IBM Lotus to end Notes/Domino 7.x support Are you ready for LotusLive hosted email services? Getting ready for Lotusphere 2009 Managing and maintaining mobile devices on Lotus Notes Domino Considerations for deploying mobile devices on Lotus Notes Domino Admin2008: administrators and developers speak up Developers mixed on direction of IBM Lotus R&D IBM showcases Notes/Domino 8.5; new products at Lotusphere Looking forward, IBM Lotus needs back-end improvements Mobile Devices Lotus makes mobile partnerships and Notes Traveler top priorities Lotus Notes/Domino and mobile device management An introduction to iNotes for Lotus Notes/Domino 8.5 Approve Lotus Notes documents using a BlackBerry mobile device SaaS and collaboration set the stage at Lotusphere Collaboration on the run with Lotus Notes and Domino Solving your Lotus Notes Domino and BlackBerry problems Install Lotus Traveler for Windows Mobile device synchronization Exploring Lotus Notes Domino 8.0.1 and beyond Configuring Lotus Sametime on a Blackberry mobile device Lotus Notes Domino Security How to correct Lotus Notes public key mismatches in four easy steps Cracked users' HTTP passwords still a threat on many Lotus Notes R6 and R7 domains Top 10 Notes/Domino administration tips of 2006 Unsecured devices worry IT professionals Online crime as ugly as ever McAfee sued for patent infringement Antivirus researcher Gullotto leaves Symantec for Microsoft Symantec: Searching for a strategy? Symantec says enterprises failing to secure instant messaging A recipe for secure IM success

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary