How to Properly Secure Mobile Devices

IT leaders know that in today's wireless world, it's easier to ride the mobility wave than fight it and get knocked ashore. Thanks to cost savings and productivity gains, "bring your own device" (BYOD) programs are cresting through the public sector.

As organizations develop BYOD policies to allow employees to use their personal mobile devices for government business, security represents a key concern. Indeed, ISACA's 2011 "IT Risk/Reward Barometer" survey found that 58 percent of U.S. information security and IT audit professionals view employee-owned mobile devices as a greater risk to the enterprise than mobile devices supplied by the organization. However, 27 percent of respondents still believe the benefits of employees using personal devices outweigh the risks.

"BYOD presents both opportunities and threats," says John Pironti, an adviser with ISACA. "It lets both employees and organizations take advantage of the latest technology innovations at limited cost to the organization. Unfortunately, it also introduces new vulnerabilities, due to the limited ability of most organizations to effectively manage and secure employee-owned devices accessing their information infrastructure."

Reducing Risk

Ponemon Institute's 2012 Global Study on Mobility Risks shows that more than half of the IT and security professionals surveyed say their organizations have experienced an increase in malware and in lost confidential data resulting from employee use of personally owned devices.

No matter who owns the device, state and local governments must be able to protect their data and maintain a measure of control over these devices. To achieve this, chief information security officers are implementing a new set of security tools and measures designed to protect notebooks, tablets, smartphones and other mobile devices. These measures allow workers to reap the benefits of being able to work anywhere, anytime, while reducing government's exposure to data theft and loss.

As with most security issues, effectively addressing the risks of BYOD programs starts with policy. Agencies must clearly spell out who may use their personal devices for government purposes and how. For example, some departments or agencies may wish to ban workers from taking photos or videos in the workplace, downloading and using Internet apps, using personal e-mail accounts, downloading confidential data onto the device, or downloading and watching videos.

Next come the security technologies to layer on top of policies and procedures. Enabling basic features such as auto-locking and password protection is a must. Add two-factor authentication, identity or access management and device-level encryption. And counter the threat of malware that targets mobile operating systems by installing an antivirus or antimalware package.

Administrative Aid

Effective enterprise-scale mobility programs also require a mobile-device management (MDM) solution. This software allows over-the-air distribution of applications, data and configuration settings for most types of mobile platforms. Such tools help IT professionals better manage and secure smartphones and other mobile devices.

MDM tools enable BYOD programs because they offer a means of "sandboxing" the device to separate work and home. If an employee-owned device is lost or stolen or someone resigns his or her position, IT pros can wipe official communications from that device, but leave the owner's personal data behind. Client virtualization software also affords extra security benefits because no data is stored on the mobile device.

With the right policies and precautions, organizations can move forward with BYOD programs to minimize capital outlay, subscriptions and support while extending the benefits of mobility to employees. That's a win-win for both parties.