Stepping back and looking at the big picture of what's taking place with mobile desktop security is hard. Yet that's holding many enterprises back and creating so much unnecessary risk today. IT shops have to face the reality that phones and tablets are becoming the new desktop and then do something about it. Contrary to popular belief -- especially among management circles -- mobile devices often contain something of value, and the odds are great that it's currently unprotected. There's no better time than now to get started with a mobile security strategy.
Your approach is critical, though. You shouldn't just be concerned with devices. Mobile device management (MDM) has a lot to offer, but it's so last year. The real value in protecting mobile desktops comes when you focus on data, applications and what can actually be done at the hands (or thumbs) of your users. Be it phones, tablets, USB devices or the latest "phablets," a great level of granularity in your mobile controls will help ensure that they're at least on par with traditional Windows laptops and desktops. And don't forget about the security of the mobile apps themselves.
So how can you determine just how much risk is associated with your mobile systems? After all, you need to be able to quantify -- to the greatest extent possible -- what's at stake so management can understand mobile desktop protection from a business perspective. Here are some recommendations for mobile enterprise security.
Know what you've got
What mobile devices are being used in your environment, and what information is being stored or processed on them? Even when users tell you they're not using their smartphones or tablets for business purposes, they likely are. Even seemingly benign email and file copies for working offsite can create an enormous amount of mobile risk if they're not properly protected.
You cannot secure what you don't acknowledge, and there's a serious lack of acknowledgement in mobile security strategy right now. Conduct a risk assessment, and make it clear to yourself and the powers that be what's where at any given moment.
More on enterprise mobile security strategy
Desktop managers can't afford to ignore mobile security
IT neglects desktop backup at its own risk
Don't let lost laptops ruin IT's day -- try full-disk encryption
USB gets ready for Windows 8 with Windows To Go drives
Frequently asked questions about endpoint management
Top threats to mobile security in the enterprise
Understand how mobile systems are at risk
Common mobile security problems include a lack of passwords, unencrypted microSD storage cards, and sensitive business information that's forwarded to personal email accounts and cloud backup services. Even mobile apps from third-parties or developed in-house could be chock full of security holes. Do you know how a particular vulnerability, once it is exploited, may affect your business?
Determine the steps and other controls needed for a mobile security strategy
Basic passwords and mobile device management products can be beneficial, but they may not be sufficient. Determine what other security standards, policies and controls the enterprise needs to ensure that sensitive information is properly handled for mobile desktop protection. Security measures could include data leakage prevention technologies, wireless connectivity controls, separation of personal and business information, and even standardization on third-party backup and file sharing services.
Simply locking down everything could harm user productivity and your reputation. The overall goal of mobile app and data security is to minimize the harm from potential device loss or theft, as well as other breaches such as hacking or malware infection.
You need to reach a level of confidence so that you can say, "So what?" when mobile devices are lost or stolen. Your organization might use encryption or similar controls to make the devices mere bricks. When users blindly click malicious links -- which is really easy to do on a mobile device -- it's a nonissue because of malware protection or Web filtering that prevents them from falling into such traps.
Regardless of what anyone tells you, your mobile security risks will be unique. Sure, there'll be similarities with other businesses, but your management will certainly have its own set of priorities. The key is to properly sell management on your recommendations. One thing is for sure: As new devices become the enterprise desktop, organizations will continue to face risks to their data, apps and systems. The question is what are you going to do about your mobile security strategy today?
This was first published in February 2013