Mobile Security 101: An Executive Guide to Mobile Security
- — 20 November, 2008 12:09
- Where do I start when securing mobile devices?
- Who is responsible for device security?
- What security do mobile devices need?
- For the mobile devices I do need, isn’t password protection sufficient?
- So how do I secure the data itself?
- How do I manage passwords and encryption across the devices?
- I can’t find sufficient security tools for PDAs, smart phones and so on. So how do I handle them?
Who is responsible for device security?
Ultimately, the CEO is responsible for the loss of secret information, such as competitive data, trade secrets or customer information. In practice, the buck stops with the CSO or CIO, depending on your organisational chart. Meanwhile, network administrators, client management leads, department heads and individual users share implementation responsibility. The CSO or CIO should set the policies as to what data may be stored on mobile devices, what level of protection is required for different types of data, and what access to internal systems various mobile devices may have. Often, these policies are part of the overall data management and access management policies that cover desktop users and remote users.
The network administrator and IT chief responsible for client management typically choose the tools to ensure that password, VPN, access control and malware-protection requirements are met. They may also determine which types of mobile devices are authorised for use with company data and services, based on the level of security they can enforce on the various devices. Business managers and users are responsible for following these policies, and for not trying to work around the policies by using personal devices with forbidden company data and services — an easy temptation when you already have a PDA, iPod, smart phone or USB drive and see no harm in using it for work purposes.
What security do mobile devices need?
Some mobile devices — particularly laptops — have a clear set of risks, since they are portable computers that can store valuable data and include applications that access your network and enterprise resources. A stolen laptop can be a treasure trove of critical data as well as an easy conduit into your enterprise’s systems. But other devices — PDAs, smart phones, iPods and USB “thumb drives,” for example — that seem innocuous can also expose your company’s data or provide outsiders access to your systems if not properly secured.
Some of these security threats are handled at the network level — such as requiring the use of authentication and VPNs for remote access into corporate systems — for PCs, laptops and handhelds alike. Some of these security threats are part of your client management tools, such as password policy enforcement and malware detection. But mobile devices typically need extra protection of the data they store, in the form of encryption, so a lost or stolen device can’t become a treasure trove for data thieves. (And most states require that companies report any loss of unencrypted data involving consumers’ private information, a disclosure that is not only costly to execute but even more expensive in terms of lost trust.) In some cases, mobile devices may need extra protection such as the use of hardware-based authentication tokens so a thief can’t access your enterprise network even if he discovers the user’s password.