Mobile phone security policies give IT some control over the influx

Whether IT departments like it or not, employees are bringing their iPhones and iPads, Android-based devices and BlackBerrys into the enterprise. If you can't beat 'em, join 'em -- the onus is on IT to establish mobile phone security policies to control the proliferation of smart mobile devices.

"Execs are gadget geeks," said Wes Baker, virtualization architect at Jewelry Television Inc. in Knoxville, Tenn. While executives have been after their IT departments for years to provide mobile devices, rogue rank-and-file employees increasingly are transferring work data onto a portable format that frees them from the office, he said.

And who can blame them, when the Internet and its satellites make it possible to tick off to-do lists on the run? Or on the walk to work? Or while walking the dog? "People want to be productive," said James Ainslie, chief technology officer at SMMT Online (Pty) Ltd. in Johannesburg, South Africa. "In today's economic climate, people can't afford to be separated from their information."

Rapid sales of mobile devices demonstrate people's desire for the freedom to work wherever they want. Users purchased 325.6 million mobile devices in the second quarter of 2010, a 13.8% increase from the same period in 2009, according to Gartner Inc., an analyst firm based in Stamford, Conn. Smartphone sales are through the roof, however, having increased by 50.5% in the second quarter of 2010 compared to the second quarter of 2009. Smartphones now account for 19% of worldwide mobile device sales, Gartner says.

Historically, IT departments have dismissed Apple Inc.'s iPhone as a viable mobile device, choosing to deploy Research In Motion Ltd.'s BlackBerry as the gold standard for mobile phone security, according to Forrester Research Inc., an analyst firm in Cambridge, Mass. Version 3.1 of the iPhone operating system provides enough security features that most enterprises can use them safely and securely, however, according to Forrester analyst Andrew Jaquith.

In a recent report, "Apple's iPhone and iPad: Secure enough for business? Better security options allow enterprises to finally say 'yes'," Jaquith noted that 29% of North American and European enterprises support the iPhone, and by extension, the iPad. "Consumer-grade portable devices, such as Apple's iPhone, the iPad and smartphones running the Android operating system, have become increasingly feature-packed, powerful and portable," he wrote. As a result, enterprises are looking to deploy mobile devices strategically and embrace the ones that are showing up uninvited. In the past quarter, for example, he spoke with three mutual fund and wealth management firms that want to issue iPads to field sales and marketing personnel.

To properly support such mobile devices as smartphones and iPads, Forrester recommends seven security policies for every enterprise to institute, and higher-assurance security options for highly regulated organizations. At a minimum, companies should require email session encryption, and should be able to wipe devices remotely if they are lost or stolen. Forrester also suggests that IT departments protect mobile devices with a passcode lock using a five-digit PIN, and autolock devices after a period of inactivity. For higher-assurance security, enterprises can require stronger unlock passcodes to achieve National Institute of Standards and Technology Level 2 authentication assurance, and consider hardware encryption.

In today's economic climate, people can't afford to be separated from their information.

Most importantly, IT departments need to state clearly that they can confiscate personal mobile phones in the event of a legitimate investigation, Forrester advises. Having personal devices on company networks can pose difficult legal challenges if expectations are not set, particularly in the European Union. People can combine personal and work email accounts on one mobile device, and employees who bring their own devices to work may not be comfortable with the IT department remotely wiping everything on them.

Because BlackBerry Enterprise Server policies can prohibit software installation by employees, and control which applications can run, high-security enterprises will stick with BlackBerrys, the Forrester report predicts. Enterprises might choose to allow lower-risk, task-based workers to use the iPhone, but for most or all of their smartphone needs, they will stick with the tried-and-true, time-tested BlackBerry solution they already know.

The world is going mobile faster than anyone thought it would, experts say, and mobile phone security is on the front burner. With the right policies in place, employees can take advantage of powerful and secure smartphones to become more productive away from the office.

Let us know what you think about the story; email Laura Smith, Features Writer.