Smartphones Need Smart Security

Yes, it's 'blue and plays music,' but that cute smartphone is also a serious computer that must be secured

1 2 3 4 Page 3
Page 3 of 4

Girard also believes it's important to set devices to time out after periods of inactivity. He recommends setting inactivity timeouts at one to five minutes for devices with high-value information, no more than 10 minutes for those with medium-value data and no longer than 15 minutes for those with low-value information. To resume using the device, employees should have to re-authenticate by entering a strong password.

That's easier said than done. "Because it's mobile, people think it's supposed to be easy, and they resist having to type in a seven- or 12-digit code," Girard says. "But you can't just have a four-digit code, because there's a very real chance of someone observing you typing it in."

Girard has also had clients who allow more than 10 password retries before deactivating a device. That's a highly questionable policy. "Even if you're drunk, you should be able to get in after that many tries," he says.

Christopher Barber, CIO at San Dimas, Calif.-based Western Corporate Federal Credit Union (Wescorp), supports two devices, the BlackBerry and Apple Inc.'s iPhone 3G. The iPhone runs e-mail and a relationship management application used by salespeople. To secure the iPhones, Barber set up a standard security profile that includes all the safeguards he wanted, with Microsoft Exchange Server pushing it out to the devices.

He uses RIM's Enterprise Server for the BlackBerries. Security features include strong password protection, encryption and remote kill capabilities.

Data out the door

"Our biggest concern with any smartphone is [that] it acts as a storage device," Barber says. "Users can plug it into the USB, download company files and walk out the door with them." With the global profile, however, he can enforce password strength and encryption, so even if users do put sensitive data on a portable device, there is a reduced chance of someone else accessing it if the phone is misplaced or stolen.

Taking a centralized approach to encryption is key, Girard says. All the well-known vendors have an encryption feature for their phones, "but unless the company takes enterprise control, it's strictly optional," he says.

But Barber says that securing smartphones is a matter of managing risks, not covering every base. He says he recently saw a YouTube video of someone who used a hacking program to break into an iPhone that was password-protected and encrypted. He also says the iPhone's removable SIM card is a vulnerability, because if a thief removes the card, the phone won't be able to receive a remote kill command because it won't be able to connect to the corporate network.

To offset this risk, Barber relies on a combination of policy and education.

"We train everyone not to put sensitive data on the iPhone," he says. In the future, he hopes to back that up with data loss prevention technology, which would monitor data being moved into an e-mail attachment or USB drive. "We're as comfortable as we can be, but there's always risk."

At Windsor Foods, Henze has also gone the centralized management route, using MobileIron's Virtual Smartphone Platform. The decision was based on his desire to manage not just security from one platform, but also carrier contracts and deployment. In addition, while he has standardized on Windows Mobile devices, he wanted to be sure he wasn't locked into that decision. MobileIron supports BlackBerries and iPhones and plans to support Symbian and Android devices.

1 2 3 4 Page 3
Page 3 of 4
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon