More and more businesses are allowing the use of mobile devices for business purposes. Mobile/portable devices used for business are not only laptops and smart phones, but include devices such as meter readers, bar code scanners, medical devices and PDAs. Most of these devices communicate remotely using wi-fi, Bluetooth or cellular communications. They can also contain a variety sensors and mechanisms such as microphones, cameras, radios and GPS systems. Just looking at this list of capabilities, it is obvious that mobile devices can be very dangerous to the security of private business information.
Whether these devices are the property of the individual user or are issued by the business, robust security mechanisms must be maintained to provide any sort of proper data protection. That means designing and implementing both mobile device security policies and technical security mechanisms.
Mobile devices security policies should address the responsibilities of both the hosting organization and the individual users. The hosting organization is responsible for determining what types of mobile devices are acceptable in their environment, which individuals/job types should be allowed to use them, which individuals will implement and oversee the program, proper training programs for providers and users, acceptable and unacceptable use of devices, security and monitoring techniques and discipline measures for failure to comply. They should also ensure that mobile device use is included in their incident response and disaster recovery programs.
Technical security measures may vary according to the types of devices in question and how they are to be used. On the less dangerous side are personal mobile devices such as smart phones used by individuals for tasks such as web surfing and social media. To protect their information, the organization should set up separate networks for such use that in no way connect to their production networks. They should employ security mechanisms adequate to protect the network and users, and should ensure that users understand the acceptable and unacceptable uses of this privilege.
On the other side are those mobile devices that are used for processing, storing or transmitting private business information. Use of these devices should employ security mechanisms commensurate with those used on the internal network. There are many mobile device management (MDM) solutions out there designed to aid businesses in this endeavor. However, ultimately, information security is the responsibility of the organization itself, not the managed services or application providers. Because of this, those executives and line personnel responsible for the program should have a clear understanding of the capabilities of the mobile devices and security solutions that are available, and the particular uses that mobile devices will be performing in their environment. To be sure that your business is getting this right, I suggest taking the time to perform research of the devices and security solutions available followed by risk assessment and business impact analysis. Like a good pair of shoes, they should be a perfect fit!
If you have any questions, comments or would just like to talk more about it you can reach us at firstname.lastname@example.org.