Everyone has one. Everyone.
Consumer mobile devices have spread through the enterprise like mad, and, to a network manager, that can only mean one thing: trouble.
“The enterprise is going to be even more flooded with these devices, especially after Christmas,” according to Steven Vinsik, vice-president of critical infrastructure protection with systems integration company Unisys. The company recently released its predictions for 2011, which included increased focus on consumer device security policy, biometric enablement of mobile devices, and location-based security.
“People will find a way to break the rules,” Info-Tech Research analyst Rahul Parmar laughs. “You give them a sandbox, and they want another sandbox to play in.”
The network manager needs to make sure that they know about each and every mobile device that might have access to the corporate network, or contain corporate information—especially if sensitive data is involved. Register any device that will need this access, or that could leak corporate data to the outside world. Users can be a cantankerous bunch, but when it comes to keeping the network safe, there are certain procedures that must be followed—they’ll just have to fall in line.
One way to make sure that corporate and personal data don’t get mixed up, says Clark, is to install an agent on the device that will prohibit users from doing anything inappropriate, whether it’s accessing adult sites, or downloading an application that pinpoints your location. (Location might event begin to determine when you can access corporate data—Vinsik cites the example of attending a trade conference where corporate secrets could be bled off a mobile device by a competitor; network managers might be able to pinpoint places like these and lock out mobile devices whenever the user is in there.)
If your company deals with a lot of sensitive data, consider running an agent that won’t allow the downloading of any unapproved application; this way, the phone can only use applications installed there by the IT department.
It’s also important to partition the different types of data on the mobile device. This way, personal and corporate acts, data, and apps don’t cross paths. It also makes it easier to perform tech support, and to wipe the device of any corporate data (while retaining personal contacts and settings) of a personal device if necessary.
“It’s getting easier to control mobile devices on the back end,” says Parmar, citing MobileIron and Good Technology as products in addition to the stalwart BlackBerry Exchange Server.
This includes the ability to offer remote help-desk service, and go into the phone and perform maintenance or help resolve tech issues, according to Clark.
There are four levels of mobile security, including minimal, basic, enhanced, and lock-down; Parmar says that most companies fall into the first two categories and will suffice with passwords and data encryption. Once you get into the latter two categories, VPNs and heavy-duty authentication (like Vinsik’s aforementioned biometrics) become important.
“Otherwise,” says Parmar, “malware can jump through the network.”
But which user gets which device?
Gartner recommends the use of a mobile workforce segmentation model that categorizes users by role—a C-level exec might need the newest generation of a flashier device, while a salesperson might benefit from the CRM apps available on another device. “The old days of locking everyone into having one device — that’s becoming more and more untenable,” says Clark. Instead, it’s important to take a “managed diversity” approach. “Consider what the C-levels need. The salespersons. The operations people. Then go from there,” says Clark. This also means your time is freed up from having to troubleshoot mobile apps or functionality that a user might not even need.
If the enterprise wishes to deploy an enterprise app—say, a CRM program—to certain users, then a device should be provided that works best with that app. “You need to make sure that the right app gets to the right user,” says Jeff Halloren, director of technical product management with Research in Motion.
Often, however, there is the choice between supplying your users with a device, or merely working with the consumer mobile device that they bring into work—as we mentioned, everyone has one. Clark says that the IT department needs to perform a cost and risk assessment with the telecom vendor. If a person leaves the company, the phone isn’t going with them, which is a plus in terms of data security and being able to reuse the hardware with another user.
Then again, you also might decide to work with the consumer devices the users already have—this will save you the up-front hardware costs, and can increase user confidence and productivity with the device. It all depends on what you’re willing to support on the back-end, according to Parmar. “But,” he says, “The corporate device is going to cease to exist.”
User demand for their own precious devices is too strong, and this model is rapidly becoming the go-to strategy.
This makes user education around policy even more important, says Clark. Start by requiring all users to register each device with the IT department. “It’s really important to know which types are being used, and what the risk assessment is for them—what apps access company data, how do they look at it, and what do they do,” Holleran says.
You must also inform the user what their rights and responsibilities are.
This involves hardcore user education—each user should be required to undergo a short bout of training with the IT department on what is and isn’t allowed with their mobile device. To make double-sure that they’re clear on what is work-appropriate, a splash-screen could be programmed to pop up whenever the user tries to access corporate data or applications, informing them of what is permitted.
It should outline inappropriate behavior, as well as stipulate what happens to their mobile device if it is lost, or they are fired. This means that there is a paper-trail, so users are less able to claim they didn’t know what they were doing.
Any user training should include a warning that a device could be wiped if it is lost or stolen, or if the user violates their code of conduct.
This should head off any enraged users if you have to pull the trigger.
It has to be done, however — real-life incidents that have occurred, according to Clark, including phones being sold online, complete with secret corporate data intact, and salespeople covertly stripping their phones of sales contacts before heading to a competitor.
This is why it’s important to immediately retrieve the mobile device from any employee who has been terminated or is leaving the company — this ensures that sensitive data remains within the corporation.
Symantec released a new survey recently on enterprise mobile behaviour that revealed a few things scary enough to make any network manager screaming for automatic lockdown.
35 per cent will scan the license agreement when downloading an app, but don’t pay very close attention to them or what data or services they are giving the app permission to access on their device
29 per cent are very likely to open a text message from an unknown sender on their mobile device
25 per cent are somewhat likely to open an e-mail from an unknown sender on their mobile device
77 per cent don’t use third-party mobile security software on their mobile device
44 per cent would place greater value on the hardware than the data if their smartphone was lost or stolen