Get Smart About Protecting Phones

By John Wagley

As smart phones continue to grow in popularity, they are playing an ever-increasing role in the workplace. In some cases, employees are using personal devices for work purposes. In other cases, organizations are issuing devices to staff. And while they do not create the same threat as laptops with respect to malware, they still merit consideration.
Many organizations are, however, neglecting to pay adequate attention to the security risks such devices can pose, said John Girard, a Gartner Research vice president, speaking at a recent Gartner conference in Washington, D.C. Just a small percentage of organizations have adequate policies and technical controls to secure the devices, said Girard.
By implementing a few security measures, such as adding encryption and authentication, organizations could gain significant security benefits, he said. Phones should also be set to “time out” after 15 to 20 minutes, advised Girard. Many employees set the devices to time out after far longer periods, for convenience.
Another problem is that policies regarding smart phones tend not to be strongly enforced, noted Girard. Many organizations, for example, will tell employees that if they are going to use devices for both personal and work reasons, they should be careful not to download untrusted software. But such “honor codes” rarely work, he said.
Policies should be backed by user education, which should “really be more like reading them their rights,” explained Girard. Often, he adds, information security departments handle smart phone policies. But it is far more effective to go “higher up the chain,” to departments such as human resources.
Many organizations could also reap strong security benefits from third-party software that controls how phones interface with the corporate network, according to Girard. This can assist in areas such as enrollment. It can ensure that devices trying to access the network are automatically denied until the device owner goes through a formal process with the IT department. Guaranteeing that phones have common configurations can ensure that the devices connect to the network securely and that they receive security updates. It can also save time for IT staff, who might otherwise have to assist with a wide variety of configurations.
Organizations might also consider software for application control. Although it has yet to be widely adopted, such software, which creates a certified list of acceptable programs, can help keep employees from downloading malicious programs, for instance.
At least one or two vendors also develop software that backs up phone data. The latter, aside from preserving data, could tell an organization exactly what data may have been on a missing phone, which could help the company quickly assess the extent of the loss of proprietary information, Girard said.
Organizations should also look to their carriers for assistance in adopting technical controls that can enhance security, he said. Some providers, such as AT&T and Verizon, offer assistance in device configuration and software control, he said.
As for whether the security is worth the time and cost, Girard cited Gartner research which found that smart phones, when involved in a data breach, cost organizations about 70 times what the cost would have been for implementing basic security, such as encryption. That type of information may help sell the executive suite on the value of investing in smart protection for smartphones.


Interesting, but incomplete..

Security is never a bad thing, but the restrictions this article suggest be put on the users of such equipment will in effect make sure that the intended gains in productivity, earning, sales or whatever else is halted or severely stumped. 

A far more viable alternative to restricting the usage of the smart phones is restricting what the corporate system itself will accept when it comes to "syncing" with the device. VPN connections and something akin to a Citrix environment will effectively safeguard against "listeners" and also limit the influence a connected device can have on a central system, without the user losing out on features, opportunities etc with his or her new equipment. 

App control, honor codes and the likes will in the end stop working, and the only thing to do is to safeguard the "hub" of the corporate system. A small, unconnected device like an iPhone can easily be restored, wiped remotely or reset, which will also be a near perfect solution in the event of theft, etc. 

The key point is to limit the device, not the user, i.e. limit the influence the device can have over a system, not the influence the user has over the device.

 SnallaBolaget - Security, That's Right!


The Magazine — Past Issues


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.