- Where do I start when securing mobile devices?
- Who is responsible for device security?
- What security do mobile devices need?
- For the mobile devices I do need, isn’t password protection sufficient?
- So how do I secure the data itself?
- How do I manage passwords and encryption across the devices?
- I can’t find sufficient security tools for PDAs, smart phones and so on. So how do I handle them?
- Are there other risks I should watch out for?
- What does mobile security cost to implement?
Laptops have become so inexpensive that they’re standard equipment at many enterprises. BlackBerrys are all the rage among travelling execs. Mobile phones and PDAs are merging into smart phones that allow mobile e-mail, Internet and even corporate network access, as well as the ability in some models to work on spreadsheets. Copying company data onto USB thumb drives and other removable media has never been easier. Critical enterprise information is leaking onto mobile devices whose risk of loss or theft is much higher than it is for PCs at the office.
The risk is not theoretical. According to the Privacy Rights Clearinghouse, 56 potential breaches of clients’ personal information involving laptops and other mobile devices — typically stolen or lost — have been disclosed publicly from Jan. 1 to Oct. 24, 2006, involving the personal information of at least 31.68 million people. And that doesn’t count breaches of corporate data not covered by various state breach-disclosure laws.
Fortunately, security methods aren’t theoretical, either. There are concrete steps an enterprise can take to secure the data on its mobile devices.
Where do I start when securing mobile devices?
The best way to secure company data is not to store it on client devices in the first place, advises Eric Maiwald, a senior analyst at the Burton Group research firm. If data resides on servers and within the data centre, with access permitted only over the network, there is no local copy to lose if a laptop or PDA is stolen or lost. This strategy also protects PCs in the office; after all, they can be stolen as well. While it can be more convenient for an employee to work from a local copy of data — on a laptop transported home or on a thumb drive — the high availability of broadband access and the maturity of remote-access technologies, such as laptops and smart phones, is rarely much less convenient. This approach also provides better security while still letting people work in multiple locations and with multiple devices.
Unfortunately, many companies have issued laptops as the standard PC, a strategy that undercuts security. Only employees who need to work while travelling should be issued laptops; examples include senior executives, salespeople, auditors, field technicians, some marketing staff and telecommuters. The rest can use PCs or computers at home or at satellite offices.
Enterprises that limit the use of mobile devices and discourage the use of locally stored data will still find exceptions that require local data storage on mobile devices, but these exceptions will be few and their small numbers will make them easier to manage.