Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Friday, August 20, 2004

Manging and Securing Mobile Devices

As the use of handheld devices in the enterprise continues to expand, organizations will need to manage the devices to control costs and limit security risks.  Forrester says now is the time for IT to take a more active role in such management.

As the use of handheld devices in the enterprise continues to expand, organizations will need to manage the devices to control costs and limit security risks.  Where a limited support policy was appropriate two years ago, IT must now take on a much more active role in provisioning, supporting, and managing mobile devices.  Because many employees use their own devices to store company information or otherwise ignore company mobile usage policies, companies often don’t have control of the devices, what information is stored on them, or how the information is protected.

Unmanaged mobile devices represent one of the most serious and often overlooked security threats to the enterprise.  As several incidents over the past year demonstrate, the risk of information loss or theft from laptops, PDAs, phones, converged devices, and tablets is increasing rapidly.  Organizations should balance the growing requirement for mobility with sensible policies on mobile usage and security, along with technology to enforce the policies.

While more organizations have mobile policies than two years ago, comparatively few companies have invested in technology to manage and protect the devices.  The proliferation of laptops, PDAs, and other mobile devices in the enterprise, coupled with the explosion of wireless connectivity options, has led to significant support issues and security risks.  Mobile devices are vulnerable to theft and loss, with most companies budgeting for a 20% or higher loss and failure rate for PDAs.

While the cost of replacing the devices is relatively insignificant, more and more users store sensitive information on the devices.  Additionally, mobile devices can introduce viruses or worms to the corporate network. 

Based on a recent Forrester survey, only 9 percent of companies have deployed mobile management tools; another 20 percent are piloting or plan to deploy mobile management tools within the next 12 months (see Figure 1 on source web page).  This report will outline both the challenges posed by mobility and the steps companies can take to manage and secure the devices.

Many of corporate IT’s challenges regarding provisioning and supporting remote workers, including predominantly mobile or untethered ones, can be resolved by articulating - and periodically revising - a formal written corporate mobile usage policy.  If the company is not willing to set and enforce standards, the costs and risks associated with the mobile device population could quickly spiral out of control.

Managing and Securing Mobile Devices: Best Practices

Mobile Usage And Security Policies

- Be convenient and easy for the user to follow.
- Balance productivity requirements against security and costs.
- Vary by the users’ roles and type of information they handle.
- Specify how users should synchronize information with mobile devices.
- Include guidelines for data usage and transfer.
- Summarize proper use and care of company-owned or -supported mobile devices.
- Have a definition of corporate standards for hardware selection.
- Outline standards for support of employee-purchased equipment.

Communication and User Education

User education is also critical.
Give users some accountability.
Make it clear what is at stake, including the user’s own information.
Give users the necessary tools and easy means to secure the devices.
Raise awareness by demonstrating real security risks.

Selcting Mobile Management and Security Tools

Asset discovery to identify and track devices on the network.
Synchronization tools for PIM, email, or enterprise data.
Password policy enforcement.
Remote device kill for any PDAs, laptops, or tablets with potentially sensitive data.
Client firewalls.

Forrester Recommendation: Take Immediate Steps to Secure and Manage Mobile Devices

Posted on 08/20