Quocirca Reports | Quocirca Articles | Key Analysts | Questions & Answers
Securing the Enterprise
Managing the challenges of mobile communications.  In the competitive global marketplace, businesses are placed under increasing pressure to have a flexible and efficient workforce that is as productive as possible and reacts to customer demands and changing conditions.  The mobile phone, laptop and other small smart devices for mobile connection to corporate data all support these needs, allowing access wherever required to fit business processes. This brings its own risks, but businesses depend upon the flexibility delivered by their increasingly mobile and dispersed workforce, so must adopt a positive approach to securing their intellectual and physical assets as well as their employees.

There are many aspects which are explored in this paper in greater detail, but the following list provides a mobile security action plan for an organisation of any size that is aware of existing use of, or has plans to deploy and take advantage of, mobile technologies

Key Findings

  • Establish sensible policy.  Start with business needs, feeding them into the IT plan. Ensure that the security policy is based on good business sense that can be justified as a means of protecting the assets of the business, operating to fit within day to day working practices. Policy is important even when there is no current plan to officially deploy mobile technology.
  • Engage users with consultation, not prescription.  Policy must be communicated throughout the organisation and implemented as well understood business procedures. Involve users early to create trust and expect responsible behaviour in return.  Demonstrate clearly the security challenges faced, the measures being put in place to tackle them, and how user responsibility plays its part.
  • Choice and Amnesty.  Offering some choice will generate user buy-in, but keeping it to a minimum will lower support costs.    If unofficial usage of mobile devices to access corporate data is already rife, offer an ‘amnesty’ with guidelines for what is acceptable, and how it can be brought into the corporate fold, rather than simply imposing an outright ban.
  • Automate security processes with technology. Scheduled backup and data synchronisation reduces the need for manual intervention and the possibility for errors. Over the air updates simplify device management ensuring that critical patches and security upgrades are deployed as soon as possible.  Network dependence is a minor limitation, and is more practical and economic than having to ‘return to base’
  • Actively engage with all partners and suppliers.  Find out about default settings, available security options and future plans from laptop or handset providers and from existing network or system management software suppliers.  Investigate connectivity options and limitations, and how far network operators and service providers will go in providing outsourced or hosted security services.
  • Protect the device.  Antivirus, firewall and VPN software protection must be installed on every suitable mobile device, updated regularly, and include users’ own devices.  Known connection risks such as Bluetooth and Wi-Fi must be properly configured. Register mobile corporate assets given to employees, update whenever loss, theft or upgrades occur and when the employee leaves or the asset is returned. Ensure data removal upon termination.
  • Train before, support during.  Run comprehensive training, use workshops and participation to establish best practices and etiquette that users will buy into.  During and after deployment ensure users are kept informed and updated with any changes and that they have a simple and straightforward route for getting support. One number to call, one website to visit, one email to address.
  • Enforcement.  Policies must have consequences to be effective, and there are times when rules must be enforced.  These must be clear and understood from the outset, so that violators are not surprised.  As with any form of disciplinary practice, enforcement should scale according to severity and frequency of the problem.