Smartphones share many of the same risks of laptops and are easier to lose. Ajit Arya, deputy CIO for Arlington County, Va., supports both BlackBerrys and iPhones and is working to tighten its policies for managing them. "We have taken some basic steps," he says. For example, one recommended best practice is to require passwords. So far, the county has told employees they can set passwords but has not tried to enforce it as a requirement, Arya says.
The storage capacity of smartphones is growing--and vulnerable. "Your corporate secrets are at risk and will be for a long time," says Jonathan Zdziarski, author of iPhone Forensics. Zdziarski says these phones typically leave deleted information in a recoverable state. And some phones now pack gigabytes of storage. Arya says Arlington County addresses this with the ability to wipe phones clean by remote control if they are lost or stolen.
Wiping data remotely may not be sufficient. Zdziarski says an information thief can prevent the data wipe command from getting through simply by pulling out the Subscriber Information Module--or SIM card--that mobile phones require for network access. He recommends routinely pruning the data stored on a phone with iErase (for the iPhone) or Data Wipe (for the BlackBerry) to prevent months worth of corporate e-mail and other data from accumulating on the phone.
Smartphones need to be managed like PCs or laptops--a recurring theme in Gartner analyst John Girard's list of "10 Smartphone Security Failures You Want to Avoid." "Companies that do not run a configuration management process will be unable to ensure that their phones are up to date on OS, application and security patches, synchronization and any other desired company policy," he writes.
You need a plan for managing smartphone diversity. Girard recommends establishing one or two devices for full corporate use and possibly a second tier for minimal access, such as e-mail only. Many organizations wind up providing "concierge" services to a CEO or other big shot who insists on using a nonstandard device. Just make sure those who force such exceptions are willing to pay the additional costs for networking and support, Girard suggests.