The squeeze is on

Everyone has one. Everyone.

Consumer mobile devices have spread through the enterprise like mad, and, to a network manager, that can only mean one thing: trouble.

“The enterprise is going to be even more flooded with these devices, especially after Christmas,” according to Steven Vinsik, vice-president of critical infrastructure protection with systems integration company Unisys. The company recently released its predictions for 2011, which included increased focus on consumer device security policy, biometric enablement of mobile devices, and location-based security.

“People will find a way to break the rules,” Info-Tech Research analyst Rahul Parmar laughs. “You give them a sandbox, and they want another sandbox to play in.”

The network manager needs to make sure that they know about each and every mobile device that might have access to the corporate network, or contain corporate information—especially if sensitive data is involved. Register any device that will need this access, or that could leak corporate data to the outside world. Users can be a cantankerous bunch, but when it comes to keeping the network safe, there are certain procedures that must be followed—they’ll just have to fall in line.

Secret agent
Users are stubborn—they want to be able to play Farmville on their phones, and forward all the latest dancing pig GIFs. “Users will always get around everything, whether it’s unknowingly or knowingly,” according to Bill Clark, a Gartner research vice-president.

One way to make sure that corporate and personal data don’t get mixed up, says Clark, is to install an agent on the device that will prohibit users from doing anything inappropriate, whether it’s accessing adult sites, or downloading an application that pinpoints your location. (Location might event begin to determine when you can access corporate data—Vinsik cites the example of attending a trade conference where corporate secrets could be bled off a mobile device by a competitor; network managers might be able to pinpoint places like these and lock out mobile devices whenever the user is in there.)

If your company deals with a lot of sensitive data, consider running an agent that won’t allow the downloading of any unapproved application; this way, the phone can only use applications installed there by the IT department.

It’s also important to partition the different types of data on the mobile device. This way, personal and corporate acts, data, and apps don’t cross paths. It also makes it easier to perform tech support, and to wipe the device of any corporate data (while retaining personal contacts and settings) of a personal device if necessary.

Back it up
Whenever a new mobile device is brought into the enterprise, set up a daily or weekly remote back-up schedule. This will allow you to centrally store any critical data from the phone—even if the phone is lost, the contacts, work, and any other useful data will be saved instead of lost forever.

“It’s getting easier to control mobile devices on the back end,” says Parmar, citing MobileIron and Good Technology as products in addition to the stalwart BlackBerry Exchange Server.

This includes the ability to offer remote help-desk service, and go into the phone and perform maintenance or help resolve tech issues, according to Clark.

What’s the password?
Even if it seems like a given, you need to make sure that the devices are password-protected. They also need to have a time-out so that a certain number of tries will cause the device to wipe all the data, according to Clark.

There are four levels of mobile security, including minimal, basic, enhanced, and lock-down; Parmar says that most companies fall into the first two categories and will suffice with passwords and data encryption. Once you get into the latter two categories, VPNs and heavy-duty authentication (like Vinsik’s aforementioned biometrics) become important.

100% authentic
Accessing the network or the office WiFi should also be forbidden unless the mobile user authenticates first, ensuring that only approved devices and users can access the network, according to Clark.

“Otherwise,” says Parmar, “malware can jump through the network.”

But which user gets which device?

Gartner recommends the use of a mobile workforce segmentation model that categorizes users by role—a C-level exec might need the newest generation of a flashier device, while a salesperson might benefit from the CRM apps available on another device. “The old days of locking everyone into having one device — that’s becoming more and more untenable,” says Clark. Instead, it’s important to take a “managed diversity” approach. “Consider what the C-levels need. The salespersons. The operations people. Then go from there,” says Clark. This also means your time is freed up from having to troubleshoot mobile apps or functionality that a user might not even need.

If the enterprise wishes to deploy an enterprise app—say, a CRM program—to certain users, then a device should be provided that works best with that app. “You need to make sure that the right app gets to the right user,” says Jeff Halloren, director of technical product management with Research in Motion.

Often, however, there is the choice between supplying your users with a device, or merely working with the consumer mobile device that they bring into work—as we mentioned, everyone has one. Clark says that the IT department needs to perform a cost and risk assessment with the telecom vendor. If a person leaves the company, the phone isn’t going with them, which is a plus in terms of data security and being able to reuse the hardware with another user.

Then again, you also might decide to work with the consumer devices the users already have—this will save you the up-front hardware costs, and can increase user confidence and productivity with the device. It all depends on what you’re willing to support on the back-end, according to Parmar. “But,” he says, “The corporate device is going to cease to exist.”

User demand for their own precious devices is too strong, and this model is rapidly becoming the go-to strategy.

This makes user education around policy even more important, says Clark. Start by requiring all users to register each device with the IT department. “It’s really important to know which types are being used, and what the risk assessment is for them—what apps access company data, how do they look at it, and what do they do,” Holleran says.

School is in
You must also inform the user what their rights and responsibilities are.

This involves hardcore user education—each user should be required to undergo a short bout of training with the IT department on what is and isn’t allowed with their mobile device. To make double-sure that they’re clear on what is work-appropriate, a splash-screen could be programmed to pop up whenever the user tries to access corporate data or applications, informing them of what is permitted.

Do the waiver
This is a very important part of your network policies—have every user who plans to access corporate data or use enterprise apps on their device sign a waiver that details what their rights and responsibilities are.

It should outline inappropriate behavior, as well as stipulate what happens to their mobile device if it is lost, or they are fired. This means that there is a paper-trail, so users are less able to claim they didn’t know what they were doing.

“If you don’t let them do something, they’re going to find a way to do it anyway,” Parmar says. “Users are resourceful! They figure, ‘If I know a way to do something more efficiently, then I’m gonna do it that way.’ This is why you’re not a gatekeeper — you’re like a parent, controlling their exposure to risk.” 

Many people see losing their phone as akin to losing a limb or a loved one, so getting their smart phone wiped can turn your user against the IT department as fast as you can say “wrong password.”

Any user training should include a warning that a device could be wiped if it is lost or stolen, or if the user violates their code of conduct.

This should head off any enraged users if you have to pull the trigger.

It has to be done, however — real-life incidents that have occurred, according to Clark, including phones being sold online, complete with secret corporate data intact, and salespeople covertly stripping their phones of sales contacts before heading to a competitor.

This is why it’s important to immediately retrieve the mobile device from any employee who has been terminated or is leaving the company — this ensures that sensitive data remains within the corporation. 

Many a holiday present will be unwrapped this year, only to reveal the newest mobile device. But what happens when they’re brought into the enterprise en masse?

Symantec released a new survey recently on enterprise mobile behaviour that revealed a few things scary enough to make any network manager screaming for automatic lockdown.

35 per cent will scan the license agreement when downloading an app, but don’t pay very close attention to them or what data or services they are giving the app permission to access on their device

29 per cent are very likely to open a text message from an unknown sender on their mobile device

25 per cent are somewhat likely to open an e-mail from an unknown sender on their mobile device

77 per cent don’t use third-party mobile security software on their mobile device

44 per cent would place greater value on the hardware than the data if their smartphone was lost or stolen