Smartphone Security Gaps
Employees are at risk for viruses and other security breaches, so IT staff need to be just as vigilant with company-issued phones accessing the network as they are with computers.
Smartphones and other mobile devices are inside your organization, and they aren't going anywhere. And, as our Carl Weinschenk has recently reported in his blog, they aren't particularly secure.
Recent surveys have found that malware attacks are increasingly targeting mobile platforms, and that those platforms have some fairly gapping security holes - for example, many of them store usernames in plain text. That's not good.
If you are evaluating an overall mobile device security strategy for your organization, you should check out the report Guidelines on Cell Phone and PDA Security from the National Institute of Standards and Technology. The 51-one page PDF is available for free download to IT Business Edge members here in the IT Downloads library.
These capacities include:
The report, as all NIST publications do, then takes a deep dive into the security threats and mitigation tactics you should consider when managing mobile devices. The report comes at the issues from the perspective of company-issued devices that are under the explicit control of IT. That may not be the case in your shop in the age of the iPad, but you're certain to find some tactics that you can employ, either through policy or management technology.
Some measures you can implement almost immediately:
Be sure that all local security measures are implemented on your user's smartphones. Before you let a user POP their email on their phone, be sure that at a minimum they have log-in and inactivity log out activated. It's simple, but it is the first step to stopping someone who finds a lost device just casually checking out your company's private info.
Do a formal risk assessment. The migration of smart mobile devices (company-issued or otherwise) has been taken as a given for years now, but that doesn't mean that you should not quantify the risks they pose to the business. An ongoing risk evaluation might result in the business deciding to impose more strict control on devices; it might, at least, help you define a fallback position if something goes wrong.
Establish a formal smartphone use policy. Having users sign off on a contract that outlines acceptable smartphone use - and the penalties for policy breach - drives home the point that your company is serious about mobile security. It also is a vital part of a user training program, which is also a key step for making sure your mobile devices are as secure as possible.