USB devices and other pluggable widgets that can store (and steal) data are a Security Manager's nightmare, but compared to mobiles and their always increasing capabilities, USB devices seem innocent. Because so many see mobile devices as a threat, the question posed by many is, is banning the use of mobile devices the only way to deal with them in the enterprise?
Fortunately, not many (if any) companies adopt the absurd approach to ban the use of mobiles in the enterprise for security's sake. Instead, they adopt various security policies aimed at regulating the use of mobiles, keeping them from posing as a security risk to the enterprise.
The Mobile Enterprise Needs New Security Norms
These policies vary and different companies have a different view about mobile security in the mobile enterprise. Obviously, you can't let the use of mobile devices in your enterprise go unregulated. Doing so would not only be a security risk, but an outright security suicide. However, how do you decide where to put the firewall between personal freedom and enterprise security?
Between Personal Freedom and Enterprise Security
A recent article in Technology Review looks at the problem from an interesting angle -- the mandatory use of a particular mobile brand in companies such as Western Union and ING Investment Management Services. Nobody argues that mobile devices have a lot to do with enterprise security, but how about freedom of choice when a company decides to use only one given brand and outlaw the rest, especially when personal (as opposed to corporate) devices are concerned?
The major questions here are who pays for the mobile and if the mobile is used for work-related tasks (for instance by mobile workers) or not. If it is the company and the mobile is used for work only, then nobody should argue, since the company pays and it is a corporate device, they have the right to choose. Quite often however, companies use a so called BYOD (Bring Your Own Device) policy, under which employees use a personal mobile to do their job.
The BYOD policy has variations however. For instance, Sybase has preselected 20 devices, which comply with its security policy and employees can choose any of the devices on the list. The expenses are shared between the company and the employee and it looks more or less like a fair deal.
Is it the Device or the User?
Mobile devices and their ever increasing capabilities will continue to be a threat to enterprise security. New security features and applications are developed with the idea to protect corporate data. No matter how stringent your mobile security and how advanced the devices are however, if your employees are disloyal, you can never protect your enterprise against unauthorized disclosure of information and insider trading, which could do you more harm than the accidental interception of some random data by a third party.