According to the 2012 IBM Tech Trends study, the top barrier to enterprise adoption of mobile devices (for example, smartphones and tablets) is security. Specific concerns include device loss and theft, data leakage and malware. While technology is important, it’s only a piece of the puzzle. In this post, we’ll discuss the role of strategy, policy, technology and education in addressing mobile security.
It starts with a strategy. What’s the business problem I’m trying to solve with mobile? Who’s my audience? What types of devices will they be using, and what device features will be used? How will users access my application? What are my success criteria? Having clear and concise answers to these questions will make it easier to apply corporate policy in the next step.
Every enterprise needs a written mobile policy with the terms and conditions clearly spelled out. This is particularly important for use of mobile devices inside the company. If the company already has a personal computer policy, this is a great starting point. Key questions to be addressed in the policy include: What devices, operating systems and apps are supported? Do I need a device passcode? Is there a requirement for remote wipe of enterprise data in the event the device is lost, stolen or the employee leaves the company? What applications are allowed to be used? What are the data privacy requirements? What’s the Bring Your Own Device (BYOD) policy? What’s the policy for employee reimbursement for mobile expenses? You’ll want to include IT, human resources, legal, procurement and reimbursement in the discussion.
Technology implements, monitors and enforces corporate policy. Specific technologies includes endpoint management, encryption, containerization, network access (for example, WiFi, VPN), anti-malware and authentication—just to name a few. In addition, the mobile application architecture (native, web, hybrid, virtual) and how it will be developed, deployed and updated on users’ mobile devices is critical.
Security starts with the user and with building a culture of security. Regularly educating employees on how to identify cybersecurity threats, protect corporate and client data, safeguard devices and data, and practice security incident reporting is critical.
In conclusion, I’ve provided a high-level overview of four aspects to consider when approaching mobile security. In many ways, security solutions on smartphones and tablets are immature but are continuing to improve. While you may be tempted to hold off on embracing mobile until the market matures, the risk of getting left behind or of facing a security exposure is very real.