The latest and greatest tablets and smartphones may be a boon to end users, but for many IT managers, they’re a bust. That’s because simply tracking all the devices employees are using can be difficult, and trying to plug yet another entry point for hackers and malware can drain dollars and use up technical resources needed to address mobile computing security issues.
Fortunately, as mobile computing devices become ubiquitous, best practices are emerging to keep these devices manageable and secure. Here are three fundamental problems organizations face and the solutions for fixing them.
1. Anything goes for mobile computing management?
Problem: End users have strong personal preferences about the types of mobile devices they want to use, making it hard for companies to standardize on specific models to ease maintenance and support headaches.
Solution: First answer a basic question. Should the organization force everyone to use one or two approved models of tablets or smartphones, or is it better to yield to a variety of individual preferences? Strict standardization mandates may work with desktop PCs, but they’re harder to enforce for handheld devices. For example, a study by IDG Research Services in Framingham, Mass., found that end users are wielding more influence over IT departments when it comes to decisions about new technology acquisitions.
Adding to the challenge is that end users may simply circumvent corporate standards and bring their personal devices to work, which further lessens a company’s control over its infrastructure.
Rather than looking for one-size-fits-all solutions, experts say managers should develop mobile computing policies that address a variety of considerations -- the safety of the organization, user productivity and what’s realistic to enforce. To come up with those answers, some organizations appoint steering committees with a cross-section of employees, ranging from the technical staff, business department heads and security experts to the end users themselves.
Key policy decisions include: What’s a practical number of hardware and software platforms to support? Who’s responsible for support if someone uses an alternative platform? What level of oversight is acceptable so IT can monitor the flow of corporate data to mobile computing devices?
2. Plugging mobile computing security leaks
Problem: As the line between business and personal devices blurs, it becomes difficult for organizations to keep sensitive business information safe on devices that are regularly used outside the confines of the corporation. Making matters worse, hackers are eyeing the potential of mobile devices. Malware, such as Zeus/Zbot, Limbo, Torpig/Mebroot/Sinowal and SilentBanker, poses increasing risks to organizations as workers combine mobile devices for personal and business uses, according to the RSA FraudAction Research Lab in Bedford, Mass.
Solution: New security technologies are making it easier to manage and protect mobile environments. “I recommend looking at some of the centrally managed applications out there that can address security across multiple platforms. It's the only way you're going to gain any semblance of control,” said Kevin Beaver, founder and principal information security consultant with Principle Logic LLC, based in Atlanta.
Known as enterprise mobility management (EMM) products, these applications help organizations track mobile devices as well as related applications and security policies. The tradeoff: The new, centralized monitoring tools mean additional costs for IT departments and risk making IT look like Big Brother to users.
Data-encryption technology can act as another important gatekeeper for manufacturers. By scrambling all the information downloaded to tablets and smartphones, encryption ensures that if the devices are lost or stolen, customer contacts and other sensitive information will stay safe from prying eyes. EMM applications can make sure that devices are encrypted according to company policies. In addition, data loss prevention (DLP) software can also monitor when someone connects a mobile device to a PC’s USB port. DLP can automatically enforce policies about what data may flow out to the device and whether is should be encrypted or not.
Other safeguards include requiring users to lock down their devices with passwords and change their passwords regularly.
3. Getting control of apps
Problem: In an “app for that” world, manufacturers are hard-pressed to limit what software runs in their organizations and the impact it has on business processes. The problem may only get worse as the number of business apps rises and the programs pull data from internal business systems, such as databases for customer relationship management.
Solution: For now, a corporate policy requiring IT review and approval for each download is the best strategy. Beaver noted that the creators of some app stores evaluate the safety of apps before posting them for distribution. Other stores, however, take a more hands-off approach. “It’s like the Wild West [that] we've experienced with freeware and shareware over the years,” he said. “Buyer beware.”