Computerworld - I like to think that not very many things can surprise me. But recently I got a big surprise that seemed to come out of nowhere, and it wasn’t that I had won the lottery.
The IT department let me know that the help desk had been asked to install client software that would allow e-mail to synchronize with upper management’s new smart phones.
Upper management has smart phones? Why didn’t anyone tell me that earlier?
My fault, really. We don’t have a specific security policy for mobile devices. Of course, we hadn’t needed such a policy because this state agency has never been all that mobile. It just goes to show that you can never be too prepared.
Had a policy been in place, we could have avoided what has turned into a security problem that’s hard to fix because upper management has a vested interest. We could have avoided the problem by setting requirements for devices like smart phones that would have satisfied my security concerns. With no policy in place, managers got what was cheap, with no real clue about what the security implications might be.
And what are those implications? For starters, these smart phones require client-side software that hooks into Microsoft Outlook, and for synchronization to occur, it seems that the user’s PC has to be left running with Outlook open.
The list grows from there. E-mail transfers aren’t encrypted. The phones aren’t password-protected. They can’t be managed remotely so that data could be wiped clean if one were lost or stolen.
But the worst thing of all, from my perspective, is that e-mails are cached on the Internet service provider’s servers for up to seven days. That particular feature lets smart-phone owners access their e-mail via the Web.
That’s a big security hole with dubious benefits. I mean, if you can get your e-mail at work or home and you are traveling with a smart phone, why do you need another alternative? We talked to the ISP’s representatives and told them we did not want e-mail cached on their servers. Their answer: “That’s the way it works.” I was striking out.
I told my boss about my concerns, but he said management wanted smart phones. You can’t really argue that point, but I wanted to document the risks we were opening ourselves up to, so that management would know just what was at stake.
Meanwhile, I started to explore the idea of upgrading to phones that would meet my security requirements. Yeah, it could be done — at twice the price. Is this some vendor plot?
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
