Your Phones May be Smart, but are They Secure?
There was once a day when you were considered kind of cool if you had a smartphone or Blackberry - it was an honor typically reserved for executives. How the times have changed in just a few short years. Now, everywhere you look, someone is using a smartphone. That’s a good thing as it’s improved anytime, anywhere communication by making us more in touch and accessible. On the flip side, there are some serious risks that companies face when incorporating smartphones into the corporate environment.
The most serious concerns are related to connectivity via email, Web, SMS and enterprise applications. This, combined with the ever-increasing local storage capabilities and 3G/4G speeds on smartphones, increases the potential for exposure of sensitive, confidential and legally protected data. On top of that, most users are not incented to comply with security policies before they are allowed to connect to email. Finally, lost or stolen devices that have sensitive data can be compromised, and most phones do not have any encryption capabilities on them or on their memory cards.
Despite these concerns, companies continue to add more and more mobile phones as time goes on. There has also been a noticeable shift in corporate phone policies in recent years. Previously, most companies provided their users with specific phones, usually based on one operating system. Now, many companies are allowing users to go and buy whichever type of phone they prefer. This change proves that businesses don’t feel that they can slow down and wait for smartphone security technology to keep up. Executives and IT gadget hounds are swapping up to the latest and greatest phone platforms faster than their security administrators are able to add corporate network support and safeguards.
While productivity outweighs the risks for many of the organizations that we work with, we are starting to see more and more smartphone companies keep pace with the new code being released on the mobile OS platforms. That’s good news from a security perspective but it is a cat and mouse game and there is always a lag from when a new OS release comes out and when the proper security mechanisms catch up. There are also plenty of actions that IT can take to securely integrate these devices. An important first step is to develop mobile security and acceptable use policies. Next, we recommend the IT team perform user awareness training with employees – a step that is often overlooked. Another best practice is to implement a safeguard technology for the smartphones that will protect the organization from risk related to exposure of legally protected data, loss of critical intellectual property and non-compliance with business critical regulations. Fortunately, there are enterprise solutions that provide numerous security enhancements to the disparate list of phones in use by most organizations.
Accuvant works with many smartphone security vendors that provide a single console to manage smartphone protection across these disparate platforms, such as iPhone, Palm OS, Symbian, Android andWindows Mobile. It is best to deploy a solution that can manage and support smartphone security and connections with a complete over-the-air (OTA) environment (with no connection to PCs or local networks required) for enrollment, provisioning, reporting, policy control, self-service user portals, on-device encryption of all enterprise data, and kill pill capabilities that remove only the enterprise data on the device along with help desk and recovery from lost passwords.
Are you losing any sleep over your organization’s smartphone security practices?