They're convenient, versatile and, for many employees, indispensable. Unfortunately, mobile devices are also really easy to lose and that's why companies handling sensitive corporate and consumer information should always spend time to think through policies surrounding their use.
When I talk with organizations about securing employee BlackBerries, iPhones and other mobile devices, I usually look first at access. Are power-on passwords enabled? If not, they should be. Likewise, I typically suggest setting up activity timeout passwords, when possible, to wipe a device after some set number of incorrect login attempts. Device encryption may, in many cases, also be something for an organization to consider.
There's also the issue of getting onto the network. In situations where access to corporate networks is granted via VPN session, I'd avoid storing credentials directly on the device. I generally favor prohibiting employees from connecting mobile devices via USB to corporate systems, and from using them to store corporate data (an organization's central backup system can quickly find saved data not in compliance with corporate policy).It may go without saying, but security settings for mobile devices should always conform to internal policies and procedures for wireless, internet use, firmware upgrades and application installations. Likewise, employees should be aware of potential sources of compromise – a malicious SMS message, for example – and report anything of concern.
Of course, limiting the kinds of information stored on a device also helps mitigate the potential impact if it is lost or stolen. Sensitive information, including account or password data, should never be stored in the form of memos and tasks. And keep in mind that not every email needs to be forwarded to a mobile device. Standard practice is to filter sensitive messages. Device security settings should be set up to delete cached data and credentials saved in the course of browsing internet and corporate portals.
Users also should be aware of scripting attacks and validate enabling scripts while browsing.
Keeping an inventory also is vital. And remember, devices sent out for repair or decommissioning should first be properly sanitized. This includes the removal of sensitive information from built-in storage or extra memory cards.Ondrej Krehel is the information security officer of Identity Theft 911, a leading identity theft management and data breach services provider.