Saktanong - stock.adobe.com
Desktop and laptop use policies are mature in the enterprise, but IT must have an entirely different approach to smartphone policy.
Mobile devices frequently operate in locations beyond the corporate network perimeter and access various public networks. Because IT departments are responsible for securing the business data that's on the users' devices, they should determine the optimal smartphone policy to support its mobile users.
For example, IT professionals can use enterprise mobility management (EMM) to secure mobile data and restrict user actions, even when users connect to networks beyond the organization's intranet.
Shaping a comprehensive smartphone policy
IT professionals can easily block users from accessing inappropriate websites and content while users are on desktops in the office, but mobile carrier networks impose very few restrictions. Smartphone users can often access anything by simply disabling Wi-Fi on their devices when they are in the office. When smartphone users work remotely, it's even more difficult to enforce content restrictions.
Mobile devices carry a wealth of personal and business information, so the reward for a hacker who compromises a mobile device is significant. Mobile devices also present a larger attack surface than traditional desktops; they are vulnerable to attacks from many different angles.
When IT professionals formulate a smartphone policy for their organization they should be sure to consider the following questions:
User device models
Will their organization support different device types and OSes? Will there be a minimum version of the OS or OSes? What authentication method should IT pros enforce? What other devices can the user connect their mobile device to? Will the policy permit removable storage?
Will there be a separate policy for BYOD or VIP user groups? Will IT permit personal use of corporate devices? For BYOD cases, will IT store corporate data in a container? How will IT safeguard user privacy? Will IT have control over all mobile apps or can users install their own? Can IT pros or users run a factory reset on the device?
What are users able to access when using the corporate LAN? Do the controls over mobile traffic reflect the same restrictions? Can users join any Wi-Fi hotspots they encounter?
Who pays for the device, the calls and the data? If the organization pays, is this by allowance, stipend, expenses or does it receive the bills directly? How much data and how many calls can users make? Is there an allowance for personal data and call use? How will the organization handle overages on data and call minutes?
Will the organization need a mobile threat defense tool? Will this tool also have access to BYOD devices? If so, will IT need to formulate different policies for the tool? What is the procedure for threat remediation?
Regulation and support
Do regulations require recordings and logs of users' calls and messages? Is the organization subject to data retention regulations? What level of device support is the organization prepared to offer its users, and what are the limits of that support?
Smartphone policy in context
A more comprehensive list of smartphone policy questions could include at least 20 additional issues to consider, but not all of these questions apply to every organization.
Whether the user or the employer pays the bill varies from organization to organization, but what's most important is that both users and the organization are aware of the policy's implications before any incidents arise. Likewise, users can accept varying degrees of privacy, but it will always cause issues when IT has more device surveillance than the user is aware of. If both sides agree to a clear policy, it greatly reduces the chances of friction.
A smartphone policy is only as good as its practical enforcement. If IT professionals want to restrict access to third-party stores, they must ensure that their EMM prevents this access. IT must apply the same principle to web browsing policies. If an organization's policy states that users can't install their own applications, then IT must ensure users have every application they need to effectively complete their work.