|
 |
|
General Information
|
Add To My Personal Library |
July 31, 2009
• Vol.31 Issue 20
Page(s) 26 in print issue
|
Personal Smartphones In The Enterprise
Where Do Non-Corporate-Issued Gadgets Fit Into Network & Security Plans?
|
| Key Points
• You can try to prohibit non-corporate-issued smartphones from accessing the network, but you might be better off allowing them and working with employees to make sure that all phones that access the network are secured.
• Smartphones are as powerful as the first laptops, and the same security concerns apply when allowing them to access the network: Make sure they’re password-protected; their data is encrypted; and they’re protected from viruses, malware, spyware, and snoopware.
• Just because you allow smartphones to access the network doesn’t mean you have to allow them to access all of it. | | BlackBerrys, iPhones, Windows Mobile phones, and other smartphones are becoming more common all the time. Employees are using them to check their work email, to browse the Internet, to access the company network, to use applications, and for other work functions.
The productivity to be gained from this is unmistakable, but the hazards have gone largely unnoticed at many companies. Until now, some companies that were aware managed the problem by issuing smartphones to employees so that IT departments had control over how they were configured and used.
 But not every company can afford that kind of control anymore. In fact, some companies are cutting costs by refusing to provide work phones at all. So how should an enterprise handle the growing use of all these phones, not issued by the company, that are connecting to the company’s network?
Mounting Security Concerns
Symantec estimates that there are half a billion smartphones in use today, and in a few years, there will be more than the estimated billion PCs in use. Khoi Nguyen, group product manager for the Mobile Security Group at Symantec (www.symantec.com), says that the smartphone segment of the cell phone market is growing phenomenally; last year, the number of smartphones grew by 22%, compared to 7% in the ordinary cell phone market.
These devices make a fine avenue right into the heart of the company, but they aren’t being appropriately secured. “Surveys conducted by Symantec indicate that 80% of companies allow smartphones to access the network and store data, [and] less than 25% of them do anything to secure them,” Nguyen says.
Additionally, hackers have realized that this is a big playground with no monitors, and they’re beginning to target smartphones. Spyware and snoopware, the next generation of spyware that specifically targets smartphones, let hackers track the keystrokes and Web sites that smartphones are using, and the more devious forms of this software can let them activate the phone’s microphone, camera, or video camera so that the hacker can monitor the user’s conversations or even sneak pictures or video of the user’s environment.
Worse, those same hackers could get access to databases, applications, and other stored information anywhere on the company network once a zombie smartphone is used to access the network. And even ordinary viruses, once accidentally downloaded by the smartphone or through attachments to text messages, can merrily trot from the phone to the network. “A phone is like a flash drive,” says Chris DeHerrera, mobility architect for Enterprise Mobile in Watertown, Mass. (www.enterprisemobile.com). “It can store either good information or bad, and although it doesn’t get infected itself, it provides the transmission route for the network to get infected.”
If You Can’t Beat Them, Join Them
Some companies are getting around these problems by allowing only phones that were issued by the company to access the network. But there are two things wrong with that plan. One is simply that it will annoy employees who want to be more productive.
The other is that they’re likely to find ways to go around you. “No matter how hard you try to forbid it, employees want to work with mobile devices,” says Rene Poot, international systems engineer for NCP Engineering in Nuremberg, Germany (www.ncp-e.com). “It’s similar to wireless technology a few years ago, when people used it despite companies’ concerns about security. Eventually, companies decided that its usefulness outweighed the security risks.”
When your choices are to limit productivity or to let yourself be vulnerable to rogue users who circumvent your security requirements, it makes more sense to partner with employees who want to use their own smartphones on your network. Like most tech issues, this is more of a people problem, and you can solve it by educating users about the security threats their phones pose. “You need to make them aware that as soon as they start using their phone for work purposes, losing that phone becomes a major potential security breach for the company,” says Hal Steger, vice president of marketing for Funambol (www.funambol.com). “They need to understand that it’s like losing a company credit card or the keys to the office.” They also need to understand that losing a smartphone that has connected to the network is just as bad as losing a laptop.
Protect Your Network
There are other steps you can take to make sure that non-corporate-issued smartphones don’t pose a threat to your company network.
Security software. Part of that education can be asking or requiring employees who use their smartphones to access the network to use security software on that phone. Security suites provide features such as encryption, antivirus, firewalls, and other essential protections. Some can even be set up so that phones are required to have a firewall active before they can connect to the network. “It’s like a device pat-down,” Poot says. “If you don’t comply with security requirements, you can’t proceed, just like passing through TSA at the airport.”
Password protection. Most smartphones and their operating systems have the ability to set up the phone to be password-protected. Again, this is something you can either suggest strongly or outright require. “It doesn’t fully protect the phone, because a more technically advanced person can crack open the phone to read the memory directly from the memory card,” Nguyen says. “For that reason, you need to pair password protection with encryption, which sometimes comes built into the phone and sometimes requires third-party software.” That means not only data that streams back and forth between phone and network but also data that is stored on the phone, which not all phones are able to do.
Enable remote wiping. If a user loses his or her phone, remote wiping allows the data on that phone to be erased from the office.
Disable unnecessary features. “Security is inversely related to functionality, which means that the more features on the phone, the more risks there are,” Nguyen says. For example, you can require users with Bluetooth to disable the broadcast mode so that others can’t discover and attack that phone via Bluetooth.
Give smartphones only partial access. You don’t have to allow phones free-range access to the network. Set policies so that certain databases, applications, or documents cannot be accessed by phone. That way, even if an employee loses his or her phone, only a limited part of the network will potentially be in harm’s way.
by Holly Dolezalek
Biggest Issue To Consider: Employees’ Security Measures
Smartphones need the same kind of protection that PCs and laptops need from viruses, spyware, snoopware, and other threats, but it can be difficult to manage devices that are not corporate-issued, so employee cooperation is key. Ask employees to keep their phones safe by:
• Password-protecting their phones at startup.
• Encrypting their data.
• Avoiding storing passwords on the smartphone. For example, if they use an Internet-based email account or banking applications, remind them they should uncheck any “remember me” boxes, as that will allow a hacker to capture the password or someone who finds it to access the account easily.
• Being careful of Bluetooth settings. They should disable the broadcast mode and encrypt their Bluetooth transmissions. |
|
|
