As smart phones continue to grow in popularity, they are playing an ever-increasing role in the workplace. In some cases, employees are using personal devices for work purposes. In other cases, organizations are issuing devices to staff. And while they do not create the same threat as laptops with respect to malware, they still merit consideration.
Many organizations are, however, neglecting to pay adequate attention to the security risks such devices can pose, said John Girard, a Gartner Research vice president, speaking at a recent Gartner conference in Washington, D.C. Just a small percentage of organizations have adequate policies and technical controls to secure the devices, said Girard.
By implementing a few security measures, such as adding encryption and authentication, organizations could gain significant security benefits, he said. Phones should also be set to “time out” after 15 to 20 minutes, advised Girard. Many employees set the devices to time out after far longer periods, for convenience.
Another problem is that policies regarding smart phones tend not to be strongly enforced, noted Girard. Many organizations, for example, will tell employees that if they are going to use devices for both personal and work reasons, they should be careful not to download untrusted software. But such “honor codes” rarely work, he said.
Policies should be backed by user education, which should “really be more like reading them their rights,” explained Girard. Often, he adds, information security departments handle smart phone policies. But it is far more effective to go “higher up the chain,” to departments such as human resources.
Many organizations could also reap strong security benefits from third-party software that controls how phones interface with the corporate network, according to Girard. This can assist in areas such as enrollment. It can ensure that devices trying to access the network are automatically denied until the device owner goes through a formal process with the IT department. Guaranteeing that phones have common configurations can ensure that the devices connect to the network securely and that they receive security updates. It can also save time for IT staff, who might otherwise have to assist with a wide variety of configurations.
Organizations might also consider software for application control. Although it has yet to be widely adopted, such software, which creates a certified list of acceptable programs, can help keep employees from downloading malicious programs, for instance.
At least one or two vendors also develop software that backs up phone data. The latter, aside from preserving data, could tell an organization exactly what data may have been on a missing phone, which could help the company quickly assess the extent of the loss of proprietary information, Girard said.
Organizations should also look to their carriers for assistance in adopting technical controls that can enhance security, he said. Some providers, such as AT&T and Verizon, offer assistance in device configuration and software control, he said.
As for whether the security is worth the time and cost, Girard cited Gartner research which found that smart phones, when involved in a data breach, cost organizations about 70 times what the cost would have been for implementing basic security, such as encryption. That type of information may help sell the executive suite on the value of investing in smart protection for smartphones.