| Today's corporate cell phone users are | | | | data onto a memory card is effective if the card |
| accustomed to an enormous amount of | | | | is kept separate from the device itself. |
| functionality from their hand held wireless devices. | | | | 5) Avoid Malware, Suspicious Apps and Software |
| A wide variety of features, coupled with | | | | Downloads |
| broadband connectivity, allows for quick and easy | | | | Malicious programs can be spread to mobile |
| access to email, file transfers, internet browsing, | | | | devices through communications channels such as |
| etc. - from almost any location. | | | | multimedia messages or Bluetooth connections. It |
| As the functionality of wireless devices continues | | | | is best to instruct users to treat any messages |
| to grow, so do the security risks of keeping | | | | received from an unknown number with suspicion. |
| stored and transferred data safe and secure. The | | | | Most malware requires a user to interact with the |
| following are a variety of safeguards that are | | | | message to become active on the device. For |
| essential for help in improving corporate cell phone | | | | example, malware that is propagated via a |
| security. | | | | Bluetooth connection cannot install itself without |
| 1) Utilize Built-in Security Features | | | | user approval. |
| For years, desktop computers have provided | | | | All organizations should have a policy in place that |
| users with "built-in" security measures. Most hand | | | | prohibits wireless users from downloading |
| held devices now include a number of | | | | software from internet sites. Software installation |
| configuration settings and security measures that | | | | should be centrally controlled within the |
| are intended to thwart basic security attacks. | | | | organization at all times. Just as desktop PCs have |
| Oftentimes, however, these features simply go | | | | safeguards to prevent employees from |
| unused. | | | | downloading and installing software, so do wireless |
| User authentication mechanisms generally available | | | | devices. Some devices have application security |
| on most handheld devices are PINs and | | | | features that prevent the installation of third-party |
| passwords. Some of these mechanisms include a | | | | software unless it is digitally signed. |
| timeout feature that locks the device | | | | 6) Add Prevention and Detection Software |
| automatically after reaching an "inactivity" | | | | Malicious programs and unauthorized downloads |
| threshold. Employees should be familiar with and | | | | cannot always be avoided. Therefore, it is best |
| take full advantage of the security features that | | | | that each organization arm their wireless devices |
| are "built-in" to their own personal communication | | | | with prevention and detection software that will |
| devices. | | | | help curb malicious attacks of this nature. A wide |
| 2) Maintain Physical Control | | | | range of products now exist in the marketplace |
| A key issue that many organizations struggle with | | | | for this purpose. These products simply expand |
| is deciding on whether to allow for | | | | the security that is already built into each device. |
| employee-owned devices or stick with | | | | The most typical security features of prevention |
| organization-issued equipment. From a security | | | | and detection software include: user authentication |
| perspective, organization-issued devices are easier | | | | alternatives, firewalls, virus detection, spam |
| to control and manage. Not only can security | | | | controls, memory and contents erasure, |
| controls be managed from a central location, but | | | | encryption, intrusion detection, VPN, and others. |
| the devices themselves can also be configured to | | | | 7) Deactivate Compromised Devices |
| comply with corporate security policies. | | | | If a wireless device is lost or stolen, disabling |
| Organization members should be encouraged to | | | | service, locking it, or completely erasing its |
| treat all wireless devices much like they would a | | | | contents can be achieved remotely. Always be |
| credit card. A lost or stolen wireless device incurs | | | | sure to contact the wireless carrier in the event |
| not only the cost of the handset itself, but it also | | | | of a lost or stolen device. To help avoid excessive |
| puts the sensitive data contained on it at risk. | | | | charges from the wireless carrier in the event of |
| Lending cell phones to friends and relatives should | | | | a stolen phone, it is adviseable to obtain a police |
| be strictly forbidden as a matter of corporate | | | | report that outlines the nature of the incident. |
| policy. Allowing access to wireless devices by | | | | Some handheld units such as the Blackberry, have |
| individuals outside the organization opens the door | | | | the ability to lock or erase its contents remotely |
| for misuse, abuse and/or fraud. | | | | through a built-in mechanism. This action is |
| 3) Limit Data Exposure | | | | triggered typically through the receipt of a |
| Keeping ultra-sensitive financial and personal | | | | message containing a pre-registered activation |
| information on company-owned wireless devices | | | | code. A company policy should be established that |
| should be avoided if at all possible. Although it may | | | | informs users of procedures for handling and |
| be convenient to keep PINs, passwords, account | | | | reporting lost or stolen organization-owned |
| numbers and user IDs for quick access to online | | | | devices. |
| accounts, maintaining this sort of information on a | | | | 8) Establish a Written Wireless Security Policy |
| wireless device should be avoided. It is best to | | | | All organizations should provide users with a |
| store this information on a separate memory | | | | written wireless security policy. This policy defines |
| card until needed. | | | | the rules, principles, and practices for which the |
| If the presence of this type of sensitive data | | | | organization treats all of its wireless resources. |
| cannot be avoided, always encrypt the | | | | The policy should outline stated restrictions for |
| information. There are many commercially | | | | personal use of the devices, such as limits on |
| available encryption applications for most of | | | | storage of personal information like music, photos, |
| today's current hand held devices. (NOTE: The | | | | contacts, etc. |
| need for encrypting data is another good reason | | | | In short, the wireless security policy should reflect |
| for centralized control of wireless devices within | | | | the organization's views on security and its intent |
| an organization.) | | | | on keeping organizational data safe and secure. |
| 4) Backup Data Frequently | | | | The success of such a policy lies on its quality, |
| Everyone knows that keeping important digital | | | | implementation and enforcement. A weak policy |
| data in only one spot is a recipe for disaster. | | | | that is never enforced is not much better than no |
| Never trust a mobile device to be the only | | | | policy at all. Consult a qualified telecom consultant |
| repository for important information. Be sure to | | | | for help in constructing an effective wireless |
| back up its data frequently to a desktop | | | | policy. |
| computer or stand alone hard drive. Backing up | | | | |