Two of my co-bloggers -- Wayne Rash and Sue Marquette Poremba-take on smartphone management and security at CTO Edge and here at IT Business Edge, respectively.
Wayne highlights the many moves of the past few weeks, which include, but in no way are limited to, the Google/HTC Nexus One. He suggests that more employees will be willing to use these slick new machines on the job. He discusses some of the ramifications.
Security is foremost in Sue's mind. She rightly points out that the inclusion of a browser makes smartphones highly functional-and susceptible to virus and other malware floating around the Web. She points to smartphone policies from Abilene Christian University and guidelines on cell and PDA security from the National Institute of Standards and Technology (NIST). Sue concludes that companies must also pay attention to Bluetooth and Wi-Fi security.
My colleagues did good jobs. One of the truisms of security is that any safeguard that requires the end user to do anything, to take any proactive step, is flawed. The goal is to have security set at its highest as the default position. Achieving this is less likely as devices grow in complexity and as ownership shifts to the workers.
Sending folks out the door with powerful computers in their pockets is problematic, even under the best of conditions. Folks won't do what they are told and even agree to do. They always will opt for the easy way, even if it means putting the device and the organization behind it at risk. This problem will be multiplied if the worker owns the device.
The upsides of having employees use their own devices may be canceled out by the negatives. Employees will sign off on policies that they don't fully read, understand and/or take seriously. Rightly or wrongly, they will be furious when certain provisions are put into effect. It also is inherently more difficult to build a comprehensive management structure around employee-owned devices, since there is uniformity in what the company uses.
The other problem-and one that is even scarier-is that employees use devices on their own without company knowledge or sign off. This wasn't too big a problem before corporate reporting requirements skyrocketed and when all people mostly used devices to talk. But those days are over, and ad hoc use of devices puts data at great risk. The fact that a company doesn't know that a device is being used doesn't indemnify it from any Sarbanes-Oxley, HIPAA or other violations that occur.