There's a wide spectrum of company policies governing the use of handhelds.
On one end of the spectrum: Everyone from the CEO to the file clerk is purchasing handheld devices on his own and connecting them to the corporate network. There are no security measures, no management of user access controls. Sensitive data on the handheld is completely unprotected and accessible to whoever picks up the device.
On the other end of the spectrum: After examining the risks to sensitive company information and IT security, a company decides to just take the conservative approach and not allow handheld use within the enterprise. It waits until security for handhelds is equal to that of LAN-connected desktops. It limits the company's ability to take advantage of the increased productivity and other benefits of using mobile technology, but the business cannot justify the risks.
If your company is like most, it falls somewhere in the middle. But given the benefits of handheld devices, their use continues to grow. Industry analysts estimate that within the next few years, as much as 40% of corporate information will reside on handheld devices. Ironically, some companies try to compromise by initiating handheld rollouts that limit applications to just wireless e-mail and personal information managers because they think they are safer, when in fact, much of their most sensitive information can be drawn from those sources.
Most likely, some of your workers are enjoying the benefits of portable, wireless devices to communicate more easily from the field, but your company hasn't yet gotten its arms around the security issue.
Is it better for businesses to avoid all handheld devices to avoid the risks? That would be like never leaving your home to avoid getting mugged. And there's a strong chance that employees will buy and use these devices even if they aren't company-sanctioned.
Now the good news: Offerings that enable organizations to securely use handheld devices are available today. Companies can reap the benefits of mobile devices without sowing the seeds of corporate security infractions -- IT executives just have to take the appropriate precautions to make them safe.
What is the best way to reap the rewards of empowering employees with mobile technology? Companies must appreciate and understand the benefits of mobility and create a balance between the risks and rewards.
Appreciate the benefits
The benefits of handheld devices are great -- they can enable your mobile workers to increase the speed and the efficiency of reporting. It's on the front lines where dramatic changes can happen, where your company has the opportunity to radically improve market share and profitability and provide exceptional customer service.
For example, consumer goods companies that invest heavily in the distribution of products to retail outlets can adjust deliveries based on up-to-the-minute information. Hospitals and medical schools around the country are making pharmaceutical dosing information, medical test results and patient medical records available to physicians and medical students via handhelds in order to help them make quicker, more informed medical decisions.
The key to unlocking these benefits is to develop a thorough security plan that recognizes the risks, eliminates infrastructure weak spots and minimizes the effort and inconvenience for the people using the devices.
Recognize the risks
Once a business understands the benefits of empowering employees with mobile technology, the next step is to clearly define the accompanying risks. Savvy CIOs don't bury their heads in the sand but instead take a proactive stance on securing their frontline mobile workers.
"Security is a critical and alarming issue because users can carry hundreds of megabytes of sensitive information [on portable devices], and annual global device loss and theft numbers have risen into the millions," said Gartner Inc., a technology research firm, in a May 2002 report.
The size of handheld devices alone makes them easy to misplace and an attractive target for theft. But the real threat with devices that go missing is the corporate data that resides on them. And the threat is twofold. For one thing, your corporate secrets or private customer information is suddenly out in the open. For another, there's the loss of productivity when work hasn't been backed up.
Consider the recent story about a former vice president at a major investment-banking firm who left the company and sold his handheld device on eBay for less than $20. What a bargain! Especially considering that the device still contained his entire customer list and a lot of information about the company's mergers and acquisitions. (The former employee wasn't being malicious; the device battery was dead, and he assumed that all of his information had been automatically erased.)
You may wonder, "Didn't the company have policies in place to safeguard against that kind of thing?" If it did, they clearly weren't enforced. This story illustrates several security issues.
- Corporate information residing on devices is at risk.
- Security policies need to be enforced.
- Companies need the ability to control information on handheld devices remotely, including software, settings and other data.
- Employees must be educated about the risks.
The risks are real, but the security measures exist to keep them in check -- CIOs and administrators must not shortchange their mobile workers.
But they're just checking e-mail: The risks of normal use
Don't be fooled into thinking that limited use of handhelds will eliminate the risks. Even if the devices are primarily or even exclusively for providing such applications as e-mail and personal information manager data, they can contain sensitive corporate information.
First look at the types of risks enterprises face with mobile devices. There are a lot of variables depending upon the type of device, the applications the user is running and the access the employee has to proprietary information. But let's consider a typical user as he goes through normal use of a handheld.
- People take these devices to do their work or check their messages or calendars outside of your company's four walls. More than a quarter of a million mobile devices are now left in airports every year. As a protection, one financial services company with headquarters in New York retains the ability to remotely lock down a device that's been reported missing or stolen.
- Mobile devices retain sensitive information that a serious information thief with computer experience could access. The same financial services company mentioned above has the capability for an administrator to completely delete all of the data on a remote device.
- Users routinely check their calendars and e-mail via nonsecure public networks. One large company traced a disastrous computer virus to a single remote user who contracted the virus through e-mail. The cost to the company from lost productivity and recovery from the destruction of the virus: $1.6 million.
Security solutions critical to success
Now that we have outlined the benefits and risks of mobile technology, what can be done to keep them in balance? There are five critical elements required to implement a comprehensive handheld security solution.