Wireless - Mastering Mobile Madness

1 2 Page 2
Page 2 of 2

UPS’s Killeen has pushed hard on standards for the past several years, after spending years with none and hooking everyone’s PDA into their Outlook e-mail application if they so desired. “What happens is that when there are problems, it’s a support nightmare for those company devices that aren’t really company devices,” Killeen says. He now supports BlackBerrys and Treos, and employees can either buy their own or, if it’s a part of their job, UPS buys it for them. “Devices will change constantly,” Killeen says. “And we don’t want to be in the device business.”

For his tens of thousands of cell phones, Killeen and other CIOs take a firmer approach. “People at UPS cannot purchase a cell phone unless they come through us,” he says. “My organization has established contracts with carriers, and everybody’s got to abide by us.”

These CIOs also make it clear that if an employee wants to purchase a non-IT-approved device, they’re on their own if it breaks or fails to work the way they want it to. That’s part of the enforcement function. But that’s not to say that, once a CIO makes a decision on a standard, nothing can change. “If there’s a new need for a product set, we’ll jump on it,” TI’s Bonner says. “Being a high-technology company, we have a lot of savvy users, and we try to run faster than them.”

Running faster also means keeping pace with the security functions that should be on the devices. One of the most critical functions is being able to wipe a device remotely if it’s lost or stolen. According to the Burton Group report, all data can be removed from a handheld device, such as a BlackBerry, by doing a hard reset. For a remote wipe, an administrator sends a command to the device to perform a hard reset, or the administrator can set a policy that a hard reset will occur after a specified number of failed attempts at logging on.

Other risk considerations for CIOs include making sure that basic power-on passwords are on the devices, encrypting wireless transmissions that contain sensitive corporate information, and ensuring that employee devices don’t have cameras on them that they can bring into the office. The camera phone is the CIO’s latest bane. Do you want customer service people taking photos of customer information? Bonner doesn’t want employees taking snapshots of new design work. His policy is simple: “You can’t have that,” so phones need to be shut off when an employee enters the office.

Security and Enforcement

How much training CIOs should do is dependent on how technically proficient their workforce is. For TI’s Bonner, making his users sit through two hours of how to operate their new cell phone or smart phone would be a waste of time, not to mention insulting. Novak’s lawyers simply won’t make the time.

In organizations where users may not be quite so sophisticated (or difficult), CIOs should offer as much training as the user base needs. “Training costs time on the front end, but it really saves a lot of time on the back end because you don’t have 25 people asking questions later, one by one,” Ovum’s Entner says.

CIOs have to ensure that users know how important it is that they follow security guidelines—regardless of their computer proficiency. “You don’t raise your children by yelling at them constantly,” says Accenture’s LeVine. “You explain to them, If you use this device in a compromised way, you may sink the firm and lose your job and your retirement.” That’s not hyperbole, LeVine says, just reality.

This past summer, Intelsat’s Kraus held an information security awareness day for all employees of the satellite communications company, where he made sure that everyone knew about virus protection, identity and password management, wireless devices and protecting home PCs. At his law firm, Novak says he spends a lot of time in coaching sessions for security best practices. He also sends out e-mails of tech tips that take users no more than 10 minutes to read. “Once you can explain in business terms why this is important, they can carve out the time to read it,” he says.

CIOs also need to make sure that the help desk is well-versed in these new devices before they’re rolled out to a single user. “That’s where the disconnect happens,” says Reality Mobile’s Rensin. Far too often, the help desk gets thrown the BlackBerry or Treo training manual after the fact, and then they have to learn it while dealing with cranky users. Time and money lost in that process may be hard to quantify but “there’s never any way to recover it,” Rensin adds.

Enforcement of a device security policy is one of the biggest pieces of any overall mobile device strategy, especially in light of regulations such as Sarbanes-Oxley, HIPAA and Gramm-Leach-Bliley. If CIOs are going to “allow these devices, then they need to make sure their policies are enforced,” says Maiwald.

One way to enforce a security policy is to track rogue devices, especially if you’ve decided not to allow any unapproved devices on the network. Tracking requires security software that can, for example, scan for unauthorized device-to-desktop synchronization, or unauthorized devices accessing your network through your wireless LAN.

If such a policy is in place but is not enforced, the risk to the organization may be greater than if the organization were to simply ignore the problem. That’s because the existence of the policy may give the enterprise (and the CIO) a false sense of security, Maiwald writes in the Burton Group report. And if any employee leaves the company, CIOs have to make sure that his device has been wiped clean of all company information. (See “When the Bits Bite the Dust” for more on wiping hard drives clean at www.cio.com/100105.)

In the end, any mobile device “is only as secure as the human operating it,” Ovum’s Entner says. “No amount of software can change that.”

Related:

Copyright © 2005 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 secrets of successful remote IT teams