Wasteful spending, weak security and lax usage policies often characterize enterprise mobile device governance (i.e., the people, processes and policies used to manage mobility). This article reviews common mobile device governance
Impact of poor mobile device governance
Mobile devices and services continue to be a rapidly growing component of enterprise budgets, yet many enterprises have no coordinated approach to mobile expense management. Oftentimes, enterprises do not analyze how actual usage compares with mobile service contracts and therefore fail to make cost saving adjustments. Expense management becomes increasingly important as more enterprises allow employees to submit their expenses for personally owned mobile devices. Many enterprises do not have visibility into whether or not an employee is spending company money on personal calls, application downloads or ringtones. Some enterprises with mobile service contracts have discovered that operators may continue to bill the enterprise even after an employee has left the company!
The use of mobile devices exposes the enterprise to security threats such as device loss or theft, data leakage and malware attacks. The high value of smartphones makes them perfect targets for thieves. In addition, the small size of mobile phones makes it easy for them to slip out of a pocket or purse. Employees often "leak" sensitive information from a phone to a PC or secure digital card. Finally, growing processing power, storage capacity and broadband speed make the smartphone an easier malware target.
Personal use policies on mobile devices can vary widely. Some enterprises prohibit personal calls, forcing employees to carry two phones, one for business use and one for personal use. Others allow personal phone calls only if employees do not exceed their minutes-of-use plan limit. Some enterprises have a no-text-messaging policy, although it is unclear how they would enforce it. Similarly, policies on mobile device ownership vary widely. Many enterprises approve the use of company-owned mobile devices only; others allow personally owned devices.
Recommendations for mobile device governance
Enterprises can improve mobile device governance and thereby reduce costs, increase security and improve use policies by considering the following recommendations.
- Embrace mobility as a strategic initiative. Enterprises often mange mobility in an ad hoc, department-by-department fashion, in much the same way that LAN technology was deployed in the mid-1980s. Enterprises would be much better served if they were to approach mobile device governance with the same discipline with which they approach their financial governance.
- Consider using ITIL. The Information Technology Infrastructure Library (ITIL) is a widely adopted framework for IT service management and provides a broad set of organizational best practices that enterprises can adapt to their environment. Some enterprises are using ITIL to help them improve their mobile device governance.
- Consistently adhere to security best practices. Many enterprises ignore well-established security best practices. For instance, they often require disk encryption on laptops but not on mobile devices. In addition, some enterprises still use the insecure Wired Equivalent Privacy (WEP) wireless LAN (WLAN) security protocol on Wi-Fi enabled smartphones. Such approaches can result in security breaches and may increase legal liability.
- Rethink your mobile use policies and then enforce them. Enterprises often create use policies that are inconsistently enforced. For example, many IT managers state that their official policy is to deny Apple iPhone access to the enterprise network, but they often violate this policy for privileged staff. This behavior weakens the policy and encourages other employees to demand policy exceptions.
- Limit and secure sensitive data on personal mobile devices. Consumer technology will continue to creep into enterprise facilities. This trend will accelerate the merging of personal and enterprise data on ever more powerful personal devices. Enterprises must carefully evaluate their risk tolerance for each consumer device under consideration and then learn how to limit and secure the personal devices that are allowed access to sensitive information. Refer to this SearchMobileComputing.com article on mobile security and management for useful suggestions.
- Consider using products and services that can improve mobility governance. New products and services can help improve mobility governance. For instance, Visage Mobile's Software as a Service (SaaS) product enables enterprises to manage wireless inventory, reduce overspending and demonstrate compliance with mobility policies. In addition, companies like ProfitLine provide consulting services that help enterprises manage many aspects of mobile management, such as invoice management, device management and rate plan optimization.
Enterprise mobility is at a crossroads. Many enterprises are proceeding down a risky path because of their poor mobile device governance. Enterprises should set a new course that emphasizes mobility as a strategic initiative in order to reduce wasteful spending, improve weak security and strengthen use policies.
About the author: Paul DeBeasi is a senior analyst at the Burton Group and has more than 25 years of experience in the networking industry. Before joining the Burton Group, Paul founded ClearChoice Advisors, a wireless consulting firm, and was the VP of product marketing at Legra Systems, a wireless-switch innovator. Prior to Legra, he was the VP of product marketing at startups IPHighway and ONEX Communications and was also the frame relay product line manager for Cascade Communications. Paul began his career developing networking systems as a senior engineer at Bell Laboratories, Prime Computer and Chipcom Corp. He holds a BS in systems engineering from Boston University and a master of engineering degree in electrical engineering from Cornell University. Paul is a well-known conference speaker and has spoken at many events, among them Interop, Next Generation Networks, Wi-Fi Planet and Internet Telephony.
This was first published in July 2009