By Bob Heard, CEO and Founder of Credant Technologies
Tuesday, 4 October 2005 08:40 EST

Jerry is a top executive at your company. His hard work and dedication to his job even away from the office have made him a role model for the entire company. Jerry’s wife bought him a Treo for his birthday last month.

Every day since then, Jerry has brought his new mobile device to work, synching it to the corporate network and downloading company information in order to keep him productive outside of the office.

Yesterday, Jerry’s Treo was stolen, and your corporation’s information along with it.

Now your corporate information has been leaked onto the Internet for everyone to see. Sensitive e-mails, customer social security numbers, confidential company information … nothing has been spared. Consumers are outraged and stock prices plummet after news of your data breach gets out.

Gartner estimates that 90 percent of personal mobile devices have inadequate security to protect against even common situations, such as accidentally leaving it behind at an airport terminal, and with the growing number of personal mobile devices being brought into the workplace, stories like Jerry’s are becoming increasingly prominent in today’s news. No corporation wants to be the next news feature on how not to protect company information. But how does a company do that without an outright ban on personal mobile devices, a move that is sure to infuriate employees?

Fortunately, there are several actions a corporation can take to satisfy staff, customers and stockholders all at the same time.

Develop a written policy
The need for a corporation to allow employees to use a variety of device types is important given the plethora of devices available and additional functionality that they provide to users. However, in order to minimize support costs, businesses should limit the number and types of devices supported.

Companies should develop a written policy covering the use of mobile devices: Who can use them, for what purposes and which kinds of devices are allowable. Policies also should detail how these mobile devices will be protected; including how users will authenticate, what information must be encrypted and what device capabilities are allowed; such as disabling camera, recording capabilities or Bluetooth options.

Ensure your written policies are implemented
Specifying that employees must use security software on their mobile devices but not ensuring its use is like having speed limits but no traffic tickets. Once policies have been established, businesses need to ensure that the written policies are implemented. A corporation’s security solution should be able to not only detect new devices, but to automatically install security software and check that it is installed every time the device connects. It also should limit allowable devices, support all device models the corporation wishes to support and enforce policies appropriate to the role of the person using the device.

The ideal mobile security solution minimizes costs and easily integrates with the existing corporate infrastructure. By applying mobile security policies to pre-defined users and groups, there is no additional administrative overhead when a new employee joins the organization and it’s easy to make global, group or even a user-level policy change. Having a solution that is managed by a single source or administrator is imperative as it prevents users from setting their own preferences.

This security solution also must be easy to use by those users who are bringing mobile devices into the workplace and synching them with the corporate network. Login requirements should be simple enough for users, but attempts should be limited in order to protect against intruders. Users also should have password reset capabilities. A user that can reset his or her password saves help desk costs and does not waste time waiting for an administrator to reset access to the device.

Communicate your policies to your employees
Once a corporation has its policies and security solutions in place, the final step is to educate its employees. A company’s workforce needs to understand the policy, the risks and why it is important to protect their personal mobile devices. Seminars and other training procedures can be used to instruct employees how to better protect their mobile devices and the data stored within them. Educated employees are more likely to take security measures seriously to protect themselves and their clients.

With the number PDAs and smartphones expected to equal notebook shipments in 2005, it is essential to provide security for these mobile devices, or face the consequences of non-compliance with regulatory acts such as Sarbanes-Oxley or HIPPA. Not to mention falling stock prices as a result of an announced data breach. Luckily, with available technology, corporations can take great strides in ensuring that what happened to Jerry, doesn’t happen to them.