From mobile malware to device management, enterprises need to have a plan for securing the BlackBerrys, iPhones and other devices connecting to their networks.
Cyber-criminals were recently seen targeting BlackBerry and Symbian devices to steal authentication data
from online banking customers, another example of mobile devices being on attackers' radars.
Still, security experts agree most of the threats to mobile
devices come in the form of people losing their devices or having
them stolen. Rather than dealing with malware
the primary challenge for enterprise mobile security is
figuring out how to best manage the plethora of devices
employees can bring on to the network.
The number of players in the mobile market presents a challenge.
Research from IDC reported Symbian held a 40 percent share of the
market during the first half of the year, but also put BlackBerry,
Apple iOS and Android at a combined 50 percent.
From a management perspective
, organizations have three options, Gartner analyst Eric Maiwald said.
"One - use the BlackBerry Enterprise Server," he said. "BES only
manages BlackBerry devices but it gives you the best management system.
Two - use Exchange and ActiveSync. This will work for any device that
includes an ActiveSync agent. However, it provides limited capabilities
- you can verify authentication and encryption prior to allowing the
device to connect and you can remotely wipe the device - and you have
to rely on the device to tell you about itself."
The third option is to use third-party management products, which
come in three major flavors: products focused on the security
configuration of devices; messaging products, which typically deploy
their own agent to send and receive e-mail securely; and service
management technology focused "on the quality of service for the
device" that provides a detailed view of the device and its
configuration, Maiwald said.
"Basically, what I am saying is that you need to understand what you
are trying to do: what is your policy, what is the goal for the
management product, and what devices do you want to manage," he said.
Having a mobile device management strategy to enforce on devices
other than BlackBerry is a common gap in enterprises, Gartner analyst
John Pescatore said, as is having a definition of what minimal security
policies need to be enforced.
Best practices include having the ability to wipe a device
remotely, as well as policies around encryption and passwords, Kevin
Mahaffey, CTO of mobile security firm Lookout, told eWEEK.
"A password is the first line of defense to prevent thieves or
casual snoops from accessing sensitive data on a smartphone," he said.
"While a password won't necessarily stop the most determined attackers,
it can go a long way in keeping sensitive data safe. Some phones
can set policy to automatically erase the device if an incorrect
password is entered too many times."