A recent survey by F-Secure Corp. found that just one in three users take steps to secure their smartphones. And yet, most users carry smartphones to support business activities -- especially synchronization of email, contacts and tasks. This dangerous combination results in unprotected business data stored on devices at high risk of loss or theft.
As budgets contract and mobile workforces grow, many midmarket businesses are left stranded between a rock and a hard place. Ignoring this risk is no longer an option. But
Step 1: Enable smartphone PINs or passwords
Access control is the simplest safeguard you can apply to any mobile device. All contemporary mobile operating systems support power-on PINs or passwords -- but many users just don't bother to enable them. Yes, entering a PIN before checking email means a taking an extra step, several times a day. But doing so could inhibit unauthorized use of a lost or stolen smartphone without major productivity drain for many workers.
Even companies without control over worker smartphones can institute policies that require power-on PINs or passwords on any smartphone used for business. To maximize compliance, distribute easy-to-follow instructions for completing PIN/password set-up on popular smartphones, accompanied by rationale that engages your workers. For example, note how many phones are lost in taxies each year and describe personal and professional consequences.
Relying upon user configuration is always risky; you may also want to consider basic processes that let administrators enable smartphone PINs and passwords. For example, issue pre-configured smartphones to workers, or let users submit their own smartphones to be configured for access to business services like email. Such practices do not scale to large workforces, but they can be effective in smaller companies. Where possible, enforce compliance by blocking devices that you didn't configure -- for example, by restricting access to Exchange ActiveSync based on device ID.
Step 2: Hard reset or data wipe your lost smartphone
Power-on PINs and passwords are a simple first-line deterrent against inappropriate access by someone who picks up a lost smartphone. However, those basic access controls may not stop a real thief. For example, iPhone PINs are notoriously easy to bypass, as are easy-to-type-and-guess values like "0000."
Depending upon the type of smartphone and the way it interfaces with your network, the second easiest measure to deploy is often a "kill pill" -- that is, the ability to invoke a hard reset or data wipe on a lost or stolen mobile device, thereby turning it into a high-tech brick.
On some devices, data wipe can be triggered asynchronously by authentication failure policies ("three strikes and you're out") or long periods of inactivity. For example, when configuring a worker's BlackBerry device, you may wish to consider setting the Secure Wipe if Low Battery and/or the Secure Wipe Delay After Lock rule to automatically delete all user data if the smartphone is lost and goes unused for awhile.
In some cases, you can use server synchronization after loss to invoke a remote wipe -- for example, BlackBerry Remote Wipe Reset to Factory Defaults or Microsoft Exchange 2003/2007 Remote Wipe features.
Alternatively, you may want to invest in a standalone service that tracks and wipes lost or stolen mobile devices. For example, Absolute Software Corp. offers Computrace Mobile -- a smartphone version of the company's popular LoJack service for tracking, wiping and recovering stolen laptops. For $13.95/year per device, Absolute Software can track your BlackBerrys (v4.2.1+) and Windows Mobile 5/6 smartphones and give you a Web portal through which you can issue a Data Delete command to AWOL devices.
Step 3: Encrypt smartphone data
Of course, the goal of data wipe is to stop potentially sensitive business data from falling into the wrong hands. But data wipe is a destructive measure of last resort. You don't want to wipe user data prematurely and you may not be comfortable with waiting for synchronization to execute a remote wipe.
This is where stored data encryption can help. OS-embedded tools like BitLocker and open source tools like TrueCrypt made laptop data encryption more accessible to midmarket companies. But laptop encryption tools cannot be applied to smartphones, where data encryption can either be relatively painless or entirely absent, depending on OS type and version.
BlackBerry content protection can encrypt user data, including calendar entries, address book contacts, memos, tasks and email messages. OnWindows Mobile 6.1 devices, file/folder encryption can be activated using Active Directory group policies. If your workers fit into either category, you may find it easier than expected to selectively encrypt business data stored on those smartphones. If you lack the requisite server infrastructure, consider paying a provider to do it -- for example, there are many hosted BlackBerry services sized for smaller businesses.
Finally, if workers carry smartphones without OS-embedded encryption, don't assume that data encryption lies beyond your reach. For example, you could encourage workers to buy and install standalone PDA encryption products -- for example, AirScanner Mobile Encrypter or Softwinter Sentry 2020 for WM. If you buy smartphones for your workers, ask your wireless provider if they offer mobile security services -- you might find that enterprise-class MDM is not out of the question after all, so long as someone else does the heavy lifting for you.
These three measures alone do not address all of the mobile security threats that should concern you. However, getting these three fundamentals under your belt is a good way to make a significant dent in smartphone business risk without breaking the bank.
Lisa Phifer is vice president of Core Competence Inc. She has been involved in the design, implementation and evaluation of networking, security and management products for more than 25 years, and has advised companies large and small regarding security needs, product assessment, and the use of emerging technologies and best practices.
This was first published in March 2009