Skip Links

Smartphones need smart security practices

By Mary Brandel, Computerworld
January 19, 2010 02:52 PM ET

Computerworld - As vice president of IT at Windsor Foods in Houston, Stephan Henze has to stay one step ahead of the latest IT trends. That's why he's spending a lot of time thinking about securing and deploying smartphones enterprisewide. The company had only a few-dozen smartphones just a short time ago, but IT now manages about 100 of them, and Henze foresees substantial growth in the near future.

The task of securing smartphones keeps getting hairier, Henze says, while the company's need for mobile communications grows stronger, even on the shop floor, where maintenance engineers will soon receive automatic SMS alerts on their phones.

He's not sure he can continue to enforce the company policy of supporting only Windows Mobile-based phones, yet nonstandard devices will complicate his security efforts. He is well aware that for some people, a smartphone is a fashion statement. "With PCs, I was able to tell them we're not a Mac environment, but I'm not sure I can do that with phones down the road," he says.

Henze is among a growing number of IT and security leaders grappling with the challenge of securing these increasingly popular devices. The primary concern, of course, is the risk of exposing sensitive data if a phone or removable memory card is lost or stolen. Data can also be exposed if a phone is sold or sent in for repairs without its memory first being erased.

There's also the risk that VPN-connected devices could expose corporate networks to hacker and malware intrusions. And there's a growing potential for viruses to attack the phones themselves through SMS hacks and other exploits. "If I take your device and muck around with it, what if the VPN is set up on it?" asks Philippe Winthrop, an analyst at consultancy Strategy Analytics Inc. "It's a huge risk not being dealt with enough today."

10 smartphone security risks

Here's a look at 10 common smartphone security risks, with tips for dealing with them from Gartner analyst John Girard:

1. No configuration management plan.

Tip: Responsibility for managing smartphones should be given to the same staffers who provision and manage PCs.

2. No power-on password, or a weak password policy.

Tip: Several vendors' device management consoles allow you to configure password complexity rules and password reset questions and answers.

3. No inactivity timeout/auto-lock.

Tip: Timeout policies should be enforced over the air through your device management console, so that the enterprise can maintain near-real-time control.

4. No auto-destruct/data-wiping plans.

Tip: Two methods should be used: over-the-air commands and locally initiated wipes. The latter should occur after a password has been entered incorrectly a certain number of times or when a device has been off the network for a predefined amount of time.

5. No memory encryption rules.

Tip: Major enterprise smartphone operating systems provide settings for enforcing encryption.

(continues on next page)

Complicating matters, users are apt to view smartphones as their own personal gadgets, not something IT should control. "There's a deep underlying current of 'This is my mobile device,' " says John Girard, an analyst at Gartner Inc. A user will often see his smartphone as something that's "blue and plays music," not as an asset that needs to be secured, he says.

Originally published on www.computerworld.com. Click here to read the original story.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News