Secure mobile phones

Companies have done a pretty good job of addressing the most pressing near-term wireless security issues, which are mainly at the network and authentication levels.

• They've paid a premium for BlackBerry's Triple-DES and Fort Knox-like network operations center.
• For remote access, most firms use VPN tunnels, which are migrating from SSL- to IPSec-based.
• Companies also are getting a better handle on wireless LAN security.

That's the good news. The bad news is that few firms have taken a holistic look at implementing a more comprehensive company mobile security strategy.

A mobile phone is a mini-PC
IT managers will have to evolve their mentality over the next couple of years, driven by two major developments: the rise of mobile devices as potential hosts/perpetrators of security problems or threats, and the fact that firms don't have a good handle on how their workers use these phones for consumer applications, such as downloading music and playing games. "Platform phones" (containing an open operating system, based on Palm, Microsoft, Symbian or Linux) and higher-end phones (equipped with cameras, music players, removable storage and so forth) are essentially mini-PCs and will comprise more than a third of the company-installed base by 2008. Think about the sensitive data that's on the average BlackBerry or Treo. Or about how a virus might be spread via Bluetooth.

So what, specifically, should you do? I recommend the following steps:

• Start thinking about mobile device management. Focus on protecting any device that is considered a company asset or contains potentially sensitive data or content.



• Develop mobile policies. Think about how you should manage employees' personal use of their mobile devices. Are you prepared to pay for picture sharing or game downloads? What about access to inappropriate content?



• Start thinking about anti-spam and anti-virus capabilities. Operators have done a pretty good job of blocking most Short Message Service spam, but the onus will increasingly spread to the company with the broadening of message quantity and type. Also, device-based virus protection will become a necessity for any operating system-based phone in the next 12 to 18 months.



• Develop a key point of contact at the carrier. Find out whom to contact, at least as an initial triage point, should a mobile security breach or loss of data occur.

I'm not recommending that companies panic or significantly increase their spending on mobile security solutions. However, security is a broader problem than many firms believe and should be considered more horizontally across the spectrum of wireless applications, devices and usage scenarios. As wireless becomes a mainstream component of non-voice applications, it will have to be brought into the broader corporate IT security framework.

Lowenstein is managing director of Mobile Ecosystem, and publishes a free monthly newsletter, the "Lens on Wireless". This article appeared in Network World.