The obvious downside to corporate use of mobile devices is that it makes the whole process of network management and security significantly trickier.
Throwing mobile phones, smartphones, PDAs, laptops and even iPods at corporate networks has changed the game irrevocably from the good old days of desktops PCs connected over a LAN.
Pity then the hapless IT manager who has to safeguard a network teaming with potential vulnerabilities while also having to deal with the loss or theft of devices and the information they contain.
With such a situation in mind, ZDNet.co.uk has come up with some top tips to give IT managers a fighting chance when it comes to mobile security.
1. Take time to identify and assess the risks
While you may be getting sick of hearing the endless mantra around the need for risk assessment and management, there really is no substitute for it. The idea is that, if you don't know what your risks, threats and vulnerabilities are, how can you possibly guard against them and target resources where they are needed most?
But you don't have to get bogged down in a huge, formal, multi-month project, requiring streams of consultants and thousands of pounds. Such initiatives can instead comprise an informal, high-level discussion with the business as to what the key priorities and concerns are, followed by a gap analysis to understand whether existing processes, policies and technologies are up to the job. It is important to formally capture and document the results, however, to prevent anything from falling through the cracks.
2. Regularly update security policies as new technologies are introduced, and ensure that they're enforced properly
If you haven't already come up with a set of comprehensive and documented security policies, then it's really about time you did, because these act as the foundation for everything else. At a basic level, they illustrate to users what you've decided are right and wrong behaviours and how you think they should and shouldn't be doing things. Policies should also make it clear who in the organisation will get a mobile device, how they can be used, what network access will be available to whom and how the policies will be enforced.
It's no use just keeping these policies in a drawer and expecting everyone to know and understand them by telepathy; they have to be publicised and people have to be made aware of what they mean in a day-to-day sense, so they shouldn't be filled with technical jargon and they have to be explained.
However, it's also no good spending time and effort coming up with such documents if you don't put the mechanisms in place to police compliance and act if someone, even if it's the boss or one of your colleagues in the IT department, is in breach.
3. Ensure that staff are adequately educated and trained so that they know how to minimise security threats themselves
Although it may seem to be the case sometimes, the majority of personnel don't maliciously go around trying to put the company and its sensitive corporate data in jeopardy. It's more likely that they'll do something stupid, inappropriate or careless and you'll have to pick up the pieces.
Staff consistently prove to be the weakest link in the security chain and the only solution is to educate and train them adequately and appropriately — ideally when they're first recruited into the company so that they're aware from the outset of what key security issues exist and what is accepted best practice. The idea is to guide them towards making the right decisions, which can go a long way towards solving the problem.
4. Focus on securing data not devices
According to a survey undertaken by Rhetorik Market Intelligence, of 371 UK-based organisations of all sizes questioned, nearly two-thirds saw data loss as a very important threat, while only 42 percent considered the physical security of the devices themselves to be a very high priority.
Those figures make sense when you consider that it's information that makes the world go round. Losing devices can be expensive, but the organisation is unlikely to grind to a halt because of it, whereas it might if sensitive data gets out into the public domain.
A worthwhile security control in this context might be encryption software to secure information on the devices themselves and make it more difficult for unauthorised users to view that information in the event that things go walkabout.
Another option is to ensure that users employ SSL-based virtual private networks (VPNs) if trying to access any system on the corporate network. And, if you're feeling flush...