Smartphone Security Basics for Information Officers

One of the chief differences between ordinary old cell phones and smartphones is that smartphones are able to launch sophisticated applications, and store data in file formats other than simple text files. For example, smartphones can launch applications like Microsoft Word, Excel, and PowerPoint and store documents in those file formats, and e-mail those documents to other users. While end users delight in working on the go and sharing information in advanced file formats, the increased functionality has at the same time increased security concerns.

For smartphone users, the security endpoint is no longer the desktop. It is their mobile handset. Today's smartphone users have the ability to move sensitive and proprietary information from their desktop to their handheld with the push of a button. Once the information is on their smartphone, they can e-mail it to anyone else, or upload it to a web blog or shared access portal while sitting on the train.

Essential Safeguards for Smartphones
What should businesses do to protect their proprietary and sensitive information? In a nutshell, there are three safeguards that Information Technology Officers need to put into place at their organizations regarding smartphones:

  •  Security controls
  •  Security policies
  •  Security awareness and training
  • Security controls are technical configurations put into place on networks, desktops, servers, and smartphones which directly affect the transfer of data to and from the endpoint smartphone. If the smartphone was not issued by the business, and is owned by the user, there are likely limitations to what security controls you can put into place on the smartphone itself.

    The reason that many companies issue smartphones to their staff is so they can own and mandate the security controls that are put in place on user handsets. It is clearly more easily to manage security if the smartphones are owned and issued by the business.

    Examples of smartphone security controls that you can put into place are similar to the same security controls you would put into place on desktops or laptops. Security controls for smartphones include:

  •  Anti-virus software
  •  File encryption
  •  Session encryption
  •  User authentication and access controls
  •  Turning off unnecessary services
  •  Device registration
  •  Password expiration
  •  Password complexity rules
  •  Security patches
  •  Firewalls
  • Once security controls are setup, administrators should test these controls in a lab environment to ensure that they really work. For example, if you have corporate issued smartphones that have external media cards, you may want to test to see if when a user removes a memory card from one device and places it in a like device, that the new device cannot decrypt any of the files from the first device.

    Security policies are the rules of the road for end users, systems administrators, and all other company personnel. Without security policies, it's hard to hold users accountable for their actions.

    Many businesses have security policies for servers and desktops, but often forget to put in place smartphone security policies. Big mistake! Today's smartphones may have the same data on them as the servers and desktops. If you lock the windows, but leave the back door open, you have not really secured your organization.

    The very first smartphone security policy you'll want to consider is whether to allow users to connect non-company owned mobiles to company-owned equipment. Before making a decision on this, you should hold a meeting with your legal department and get their input. All security policies regarding smartphones should be written down and approved by the legal department.


    security, smartphones, applications, Wi-Fi, encryption
    12 Next