Chances are, your company is already managing mobile devices in some way. But, do you have any risk management policies or best practices in place? More likely, it was simply a situation where the business said, "We need this. Make it work."
I spoke with Jeremy Allen, principal consultant with the Intrepidus Group, a consulting firm that specializes in mobile security. We discussed the steps to making wise decisions about mobile device management (MDM) based on risk management and strategy.
3 Questions to Ask About Device Management
1. What data is going to be available on the devices? This is a balance between what level of data availability is best from both a security and practicality perspective. Obviously it'd be more secure to simply ban network access of mobile devices, but that wouldn't work for most users.
"One thing we're seeing is, oftentimes organizations just don’t want to put really sensitive data on mobile devices, because of the risk. But there are a lot of things you can put on the device that aren't sensitive," said Allen. "It all comes down to trade-offs like that and understanding what the worst case scenario is when a device gets stolen, whether users will accept entering passcodes to get to email, etc."
2. Who is going to have the devices? Once you know the what, you need to know the who. Certain employees have access to more sensitive information—it might make more sense to limit network access; put more restrictive policies on the device; limit them to secured BlackBerry phones; or restrict access to corporate data, email, and applications while off site. These are all potential steps you can take.
"For some organization, limited risk management works fine, because there aren't terribly sensitive things in their email," said Allen. "And then there's some departments, such as HR, that just might not get email on their personal device."
3. What are the potential risks vs. potential costs? Ultimately you have to balance risk vs. cost. How much could it cost your organization if a phone was lost or stolen? Contrast that with the cost of paying for employees' phones and mobile device management.
Another factor is productivity—will restricting access levels hinder productivity for highly mobile users? If so, it may be a bad idea. But if you work at a financial institution where data sensitivity is at its highest, the risks may very well outweigh the benefits.
"Let's say you take a hypothetical organization that is going to roll out 5,000 iPads. They don't want them to end up as paperweights because they locked them down so much, they aren't useful or compelling to users. You have to understand the risk involved in the platform specifically and what you want users to do with it," Allen said. "So you have to ask what data will be walking out the door every day, and can you live with the risk of that? If you can't, are there things you can do with your mobile device management strategy that can reduce the risk to an acceptable level?"
If you are unsure of how to go about making strategic decisions about risk management, or even what security policies are available to you, these would be good discussions to have with a consultant or your mobile device provider.
After the jump, we'll look at three other trends in mobile security, including the differences in today's mobile OSs, application security threats, and more.