By Galen Gruman

• Where do I start when securing mobile devices?
• Who is responsible for device security?
• What security do mobile devices need?
• For the mobile devices I do need, isn’t password protection sufficient?
• So how do I secure the data itself?
• How do I manage passwords and encryption across the devices?
• I can’t find sufficient security tools for PDAs, smart phones and so on. So how do I handle them?
• Are there other risks I should watch out for?
• What does mobile security cost to implement?

Mobile Security

Laptops have become so inexpensive that they’re standard equipment at many enterprises. BlackBerrys are all the rage among traveling execs. Cell phones and PDAs are merging into smart phones that allow mobile e-mail, Internet and even corporate network access, as well as the ability in some models to work on spreadsheets. Copying company data onto USB thumb drives and other removable media has never been easier. Critical enterprise information is leaking onto mobile devices whose risk of loss or theft is much higher than it is for PCs at the office.

The risk is not theoretical. According to the Privacy Rights Clearinghouse, 56 potential breaches of clients’ personal information involving laptops and other mobile devices—typically stolen or lost—have been disclosed publicly from Jan. 1 to Oct. 24, 2006, involving the personal information of at least 31.68 million people. And that doesn’t count breaches of corporate data not covered by various state breach-disclosure laws.

Fortunately, security methods aren’t theoretical, either. There are concrete steps an enterprise can take to secure the data on its mobile devices.

Where do I start when securing mobile devices?

The best way to secure company data is not to store it on client devices in the first place, advises Eric Maiwald, a senior analyst at the Burton Group research firm. If data resides on servers and within the data center, with access permitted only over the network, there is no local copy to lose if a laptop or PDA is stolen or lost. This strategy also protects PCs in the office; after all, they can be stolen as well. While it can be more convenient for an employee to work from a local copy of data—on a laptop transported home or on a thumb drive—the high availability of broadband access and the maturity of remote-access technologies, such as laptops and smart phones, is rarely much less convenient. This approach also provides better security while still letting people work in multiple locations and with multiple devices.

Unfortunately, many companies have issued laptops as the standard PC, a strategy that undercuts security. Only employees who need to work while traveling should be issued laptops; examples include senior executives, salespeople, auditors, field technicians, some marketing staff and telecommuters. The rest can use PCs or computers at home or at satellite offices.

Enterprises that limit the use of mobile devices and discourage the use of locally stored data will still find exceptions that require local data storage on mobile devices, but these exceptions will be few and their small numbers will make them easier to manage.

Who is responsible for device security?

Ultimately, the CEO is responsible for the loss of secret information, such as competitive data, trade secrets or customer information. In practice, the buck stops with the CSO or CIO, depending on your organizational chart. Meanwhile, network administrators, client management leads, department heads and individual users share implementation responsibility. The CSO or CIO should set the policies as to what data may be stored on mobile devices, what level of protection is required for different types of data, and what access to internal systems various mobile devices may have. Often, these policies are part of the overall data management and access management policies that cover desktop users and remote users.

The network administrator and IT chief responsible for client management typically choose the tools to ensure that password, VPN, access control and malware-protection requirements are met. They may also determine which types of mobile devices are authorized for use with company data and services, based on the level of security they can enforce on the various devices. Business managers and users are responsible for following these policies, and for not trying to work around the policies by using personal devices with forbidden company data and services—an easy temptation when you already have a PDA, iPod, smart phone or USB drive and see no harm in using it for work purposes.