Business of IT: mobile device management
We look at how IT departments and businesses can mitigate mobile risks and reap the rewards.
This month, the great and the good of the mobile industry met in Barcelona for the annual Mobile World Congress (MWC) trade fair.
There, vendors showed off their latest mobile applications and devices, including smartphones and tablets. At the Consumer Electronics Show (CES) in Las Vegas earlier this year, manufacturers announced more than 80 new tablets running the Android operating system alone. A plethora of tablet and smartphone announcements at MWC has added to the ranks.
For businesses – and for IT departments in particular – this proliferation of devices presents both an opportunity and a challenge. Chief executives generally agree that staff who have mobile devices are more productive, and there is plenty of research to back up that claim.
IT management tools vendor LogMeIn recently surveyed small and mid-sized businesses and found that 63 per cent of (non IT) managers believed that giving staff remote access to work IT did boost productivity.
It is also fair to assume that staff who can choose their devices will be more content than those forced to carry a company issued smartphone or tablet.
But managing a growing number, and range, of mobile devices causes problems for IT departments who often lack the expertise, and budgets, to ensure that portable IT equipment is accounted for and is secure.
The trend for employees to use their own devices at work is doing little to help matters. Often, as Cisco's security chief said recently, the most senior managers and executives are the worst culprits, demanding that IT connect their latest toys to the company's networks.
Your pad, or mine?
Short of setting up full-body scanners in the lobby and selecting any executive returning from Barcelona for an additional pat down, there is little that IT directors can do to stop the consumerisation trend. The devices are simply too attractive, and too useful.
A research report carried out by analyst firm Ovum and security body EEMA, found that seven out of 10 organisations allowed staff to use their smartphones for work. But almost half of organisations – 48 per cent - said they also allowed employees to use personal devices at work.
Separate research, carried out by mobile connectivity vendor iPass, found a more worrying statistic: almost one in four employees had used a personal smart phone for work, even when company policy forbade it.
The ability of companies to control the use of personal mobile devices for business remains limited.
"The contract for the use of a personal device should require that the owner of the device cedes some level of control to their employer, so that business use can at least be ring fenced," says Peter Wood, of the information security advisory organisation ISACA.
"But it is a very difficult area."
Companies have two main options for dealing with non-business devices.
The first is to bolster perimeter security, so that unknown devices cannot connect to it. This can cause practical problems, such as slowing down the rollout of new company devices, or making it harder for visitors and contractors to go online.
What's more, it is fairly easy to circumvent, for example by installing an unauthorised wireless access point, unless the business also has strong network management tools. But good device access controls are part of good security, so it may well be worth the investment.
The second tool is to raise awareness of security risks, and to set clear policies around the use of personal technology by staff. IT should set the technical requirements for the policy, but will also need to consult HR and the legal department – or in smaller companies, an employment law solicitor – to make sure that the policy is both legal and enforceable.
"Employees' consent could be seen as a quid pro quo for being allowed to use their own devices. But it goes without saying that the terms and conditions would need to be very clear," says Ed Moody, applications manager at IT consultant and integrator BT Engage IT.
Holding the line
Sometimes, however, it might seem simpler – and perhaps even cheaper in the long run – for companies to issue their own devices. IT departments can integrate company owned devices into their infrastructure, install, or remove, software, and impose other limits, such as blocking access to particular websites or types of content.
Working with network operators can also make it easier to control mobile bills, by imposing limits on talk time, data transfers, or roaming. The tools for businesses to control usage are more sophisticated than those available for consumers, and remove the need for employees to reclaim business use of airtime via their expense reports.
Although the number of mobile device management tools available is growing, the market remains fragmented. With the possible exception of RIM's BlackBerry system, which allows very granular control over its smartphones through the BlackBerry Enterprise Server, managing even a few dozen mobile devices can pose a challenge.
At the UK arm of Volkswagen Financial Services, for example, field representatives who audit trade finance to car dealers are issued with BlackBerry smartphones.
The company looked at other smartphones but opted for BlackBerry because it complied with the German parent company's policies, according to Jean Smith, Volkswagen Financial Service' risk and corporate services director.
Modifications to the standard BlackBerry include disabling the ability to download apps, turning off BlackBerry Messenger, and forcing the device to wipe itself after five failed attempts to enter the password.
"There are quite a few restrictions," Smith admits.
Elsewhere, the uptake of mobile device management tools has been more limited. Apple supports remote wiping and locking of iPhones via iTunes and Mobile Me, and recently made the service free.
Microsoft's System Centre Mobile Device Manager was a popular option for companies running Windows Mobile, but the technology does not support Windows Phone 7, forcing businesses to manage these devices through Exchange ActiveSync, or using third-party tools.
The market for management tools for Android also remains immature.
This is forcing companies to take a DIY approach to device management, according to Rob Bamforth, analyst at research firm Quocirca.
Businesses are mixing security tools, third-party mobile management tools, and services from network operators. However, operator-based tools are becoming more sophisticated and could give organisations a simpler way to manage their smartphones – assuming they are all from one carrier.
Laptops are now pretty well secured but smartphones are lagging, especially with security," cautions Bamforth. "The problem is mainly one of platform diversity, and it shows no signs of diminishing," he said. "That some tablet platforms are scaled up from smartphones, and not down from laptops as was once assumed, means they are more likely to be managed and deployed in a similar fashion to phones."
But, he adds, it is policies and devices, rather than tools, that will ensure mobile workers stay secure.