Passing business information to a mobile phone increases a risk of loss for the information, we all know this, so why do we permit it to happen? Risk management: sometimes the payoff is worth it. But what is the big deal, anyhow?
First, there is the direct loss issue. If a user loses a phone with business information and someone finds the phone they can access the business information. The business can avoid this risk by restricting what information can be transferred to mobile devices, and including policy for proper use by users. This is very restrictive, however, and should a business model indicate mobile phone risks are possibly justified, additional options must be examined.
Second, is a control issue. Once the business determines that phone use is acceptable, how to minimize the risk of loss or compromise? Policy, both paper and electronic, can ensure that a phone is locked and password protected. This prevents loss through misplacing the phone or theft, in most cases. Encryption of the device, encryption of the business information, and secure erasure are all additional protective measures that can be implemented. But the platform must support the security requirement, or the policy is moot.
Currently, Blackberry is the only secure phone on the market with adequate controls for use as an extended business network. Companies should properly configure and restrict the Blackberry so that users don’t inadvertently expose their phones to hostile software. Likewise, companies should observe the phone behavior, just as they would a user PC in the office, to watch for abnormal activity, such as browsing to international web domains or similar. Anything that can be observed to detect a compromised device should be tracked and alerted on. eTracker from Prism is a good choice for log management and alerting.
But a Blackberry alone does not guarantee better security, the device must be configured properly and audited for any compliance issues. If you are, for example, passing patient data to a device, then that access must be logged for HIPAA compliance. And users who own their own phones are a greater risk of loss than users of phones controlled through a Blackberry Enterprise Server (BES). Through the centralized control of a BES, auditing and security settings are maintained by the business. Trusting the end user to perform these activities is increasing the risk that a mistake will occur and information will be compromised. Only through the use of the BES can a company be confident it has properly addressed security concerns for mobile devices.
Furthermore, proper selection of a BES is vital to maintaining the security protections. If you elect to have a RIM BES in house, you’ve got all the responsibility and capability. If you elect to use RIM external BES options, you have transferred some control, but keep all the responsibility. It may be easier on your IT shop, but you’ll have to trust RIM. Finally, there are third party options, including functionality for non-Blackberry phones, similar to a BES. Again, you’ll have to trust these 3rd parties.
Currently only the RIM Blackberry and BES server stand alone at the top of the security risk prevention chart for organizational smart phone use. Any organization selecting an alternative solution should be prepared for potential problems, including justifying why you elected to use the higher risk option. Until an alternative enterprise option has been vetted by a qualified security organization, electing to use anything but the Blackberry BES is accepting additional risk that companies must justify to be compliant with risk management requirements in regulated environments.
Finally, there are issues with smart phones that you as a user may not know, that bad guys are gleefully searching for and vendors will not bring up for fear of losing sales. Did you know that iphones log screen shots of all user activity? Imagine that, a record of your activity on your phone.
Digital Trust, LLC
This blog and it’s contents copyright 2009 Digital Trust, LLC. Republication of this post is permitted provided it is strictly on internal corporate messaging systems; no public re-use is permitted without licensing. Any republication or reuse is forbidden if the Digital Trust name is removed.