Mobile Computing Security: Authorized Use Guidelines


As corporations find new uses for mobile computing platforms, it is important to remember lessons learned years ago when personal computers were first being issued as productivity aides. Providing guidance on what to do and not to do with the loaned equipment was a necessary step, do not turn off the anti-virus software, do use a strong password, be careful what you send to, and so forth.

The analog to authorized use is unauthorized use, corporate council can provide information on any liability associated with employee inappropriate use of a system owned by a firm and used primarily for business purposes. Review of the entire guideline by corporate counsel is a good idea.

Firms should give serious thought to any sensitive information to be involved in authorized use, the security of apps is an open issue and the risks to sensitive data should be carefully considered. The entire issue of configuration management of mobile devices is wide open, as apps are inexpensive and easily available, employees provided with a device for one purpose may consider the device to be personal property and use it as such.

Abuse of capabilities is also wide open, as use is in such an early stage of evolution, monitoring use is an important issue to gain understanding of typical user behavior and changes in that behavior. For example, social networks present challenges and opportunities that are not necessarily well understood and should be expected to change with unpredictable consequences. It was not that long ago that Instant Messenger raised concerns for the security team, Twitter is a whole new world of ulcer generating concerns.

Financial apps that enable mobile banking and brokerage services present capabilities that have to generate real concerns, the lack of authentication and the resulting anonymous user creates a world without accountability, certainly not a good thing.

Another early lesson worth remembering was that issuing a tome and expecting employees to heed it is a very naive expectation, the guideline should be brief and easy to understand, anything more needs other approaches to training and awareness.

As mobile computing creates an exciting new world with fantastic potential, there is a temptation to reject "the old ways of doing things", as great as that temptation may be avoiding it is essential. Lessons learned through previous hard knocks should be revisited and applied to this new paradigm.