If you’ve ever let a stranger borrow your corporate smartphone, you may have just given him a gift of your company’s data.
The reason: he might have palmed a small USB device called the CSI Stick, and surreptitiously plugged it into your phone. The device can drain every bit of data from a cell phone in seconds, says Patrick Salmon, a mobility architect for Enterprise Mobile, a technology services company that specializes in Windows Mobile deployments.
Increasingly, companies want to give mobile or field-based employees direct, instant access to critical corporate applications previously accessible only from a desktop. To do so, existing security, authentication and management infrastructures have to be extended and adapted so that mobile devices, along with their data and wireless connectivity (cellular or Wi-Fi), are managed as surely and fully as desktop PCs.
But that’s not the case in many mobile deployments today, according to consultants who, like Salmon, specialize in working with enterprise customers. “What we see is an ill-defined policy regarding devices,” says Dan Croft, president and CEO of Mission Critical Wireless, a technology services company that specializes in mobile deployments.
Often personal handhelds are granted wireless access, something that would never be allowed with a personal computer, creating security vulnerabilities, manageability challenges and tech support burdens, Croft says. Companies don’t plan beforehand about how to handle lost, stolen or broken devices, or the data on them. “IT needs to get control of wireless [mobility] within their company,” he says.
Taking control falls into four broad areas, says Jack Gold, principle of J. Gold Associates, a mobile consulting company: securing and managing every device; managing every connection; protecting every piece of data; and educating every user.
Securing and managing every device
Mobile devices, whether bought by the company or by the individuals, are accessing company networks and company data. Device security and management are closely intertwined, because you have to be able to monitor the devices in order to enforce policies.
In most cases, practitioners recommend standardizing on two or three mobile device models, minimizing the support, security and management challenges. “Other smartphones [brought in by users] might not be capable of supporting your specific security and administration polices,” Enterprise Mobile’s Salmon says.
Using mobile device passwords or PINs is advised. “If your enterprise doesn’t enforce a password policy on those devices, you might as well stop with all your [other] security measures,” Croft says. Salmon favors PINs, coupled with a limit on the number of access attempts. After that number, the next attempt triggers an automatic lock or wipe of the handheld.