The popularity of smartphones and tablets is causing IT departments to rethink the details of their security policies. Increasingly, employees expect to run business and consumer applications on their own devices. In fact, many employees admit to accessing corporate networks without their employers’ knowledge or permission.

A recent Juniper Networks survey conducted by KRC Research and Synovate, revealed that of the more than 6,000 smartphone and tablet users surveyed across 16 countries, 81% admitted using their personal devices to access their employer’s network without the employer’s knowledge or permission. Fifty-eight percent admitted to doing so every day.

“Unless you can control the usage of [user-procured] devices on a very granular level, I would advise against allowing them inside your company,” said Calin Ghibu, product manager at GFI Software. “[User-procured] devices pose a serious threat to your environment. They can be used to extract sensitive information [and] the data theft can lead to legal liabilities.”

Malware is another concern as unlike laptops and PCs, most smartphones are not running anti-malware software. Unauthorized software downloads are also a threat given the popularity of apps and the personal nature of the devices. Further, although gateway-level security may be considered robust, mobile devices can be used to bypass web monitoring and firewalls, said Ghibu.

Users are Not the Only Ones Creating Security Holes

IT professionals know that end users cannot be trusted to secure their own equipment as evidenced by the general failure to even password protect their own devices.

The Juniper Network survey revealed that although more than 81% of smartphone and tablet users claim security is a top or high priority, only 24% frequently change their security settings. Thirty-five percent change security settings “when the need arises,” 31% rarely or never change security settings, and 9% are unfamiliar with security settings.

While IT professionals realize “hope” is not an effective form of security, they nevertheless may be overconfident about their own ability to secure corporate data.

“With email there are enough controls to manage risk, but the larger challenge is mobile access to HR and home-grown applications,” said Custie Crampton, VP of Mobile Device Management (MDM) at Tangoe, which specializes in telecom expense management and mobile device management.

Enterprise use of Exchange ActiveSync is widespread; however, it only secures email. Device-level control is preferable but not all mobile operating systems provide true policy controls, Crampton said. Although MDM can be used to “control” Android-based devices, for example, users can nevertheless change the settings.

"With a Blackberry you can secure outbound communications and sync but as soon as you add Windows Mobile or iOS you open security holes,” said Crampton.

Even with ActiveSync, a user armed with a user name, password, and correct URL can access a network from any device, he said. Although Microsoft Exchange now provides functionality that can block access at the device level it is not available natively and there are no tools available, he pointed out. There is an API, however.

“The biggest challenge is [failing to understand] the capabilities of the different platforms,” said Crampton. “You have to know what the devices can and cannot do.”

The Human Factor

According to The Nielsen Company, more Americans will be using smartphones than feature phones by the end of 2011. Although smartphone adoption was originally spurred by businesses, two-thirds of smartphone buyers are now “personal” users.

Even if an employee is issued a company smartphone, it is common for the employee to eventually question why both personal and professional devices are necessary. Given the choice, most would likely choose their iPhone or Android over the company-issued Blackberry or Windows phone.

“Most professionals already have a smartphone they use on a daily basis. Carrying around another company-issued smartphone is not something they want to do or learn,” said Peter Anderson, CTO at systems integrator CSCI. “However, providing employees the flexibility to use their personal smartphone comes at a great risk to the company.”

Users are emotionally attached to their personal devices. After all, they selected the model and pay for the service. So one apparent solution for employer is to underwrite the expense for the device the user already owns. Some companies provide employees a flat-rate stipend to offset some service costs or may cover device purchases if users agree to pay for service. Except that has issues, too. Users nevertheless consider themselves the owners of the devices and as such believe they should be able to control what takes place on and via the device.

“There could be incidents where a personal smartphone would have to be confiscated because of data leakage,” said Anderson. “In that case, not only do you have to deal with leakage and the associated liability but now personal privacy and [associated] liabilities.”

One solution is to extend security policies to include personal devices. The security policies typically require that the device be subject to IT control including but not limited to application control and management, device confiscation, and data wipes.

However, employees often resent the policies’ scope and their apparent threat to personal privacy. When an employee receives a company-issued device, it is generally understood (intellectually and by virtue of signing an agreement) that the device as company property is governed by explicit, enforceable policies. But it is more difficult for employees to accept the same policies applied to their personal devices, even if their company partially offsets the cost.

“If companies want to [allow their employees to use their own devices] there should be a clause or addendum to their employment contract that addresses these issues [and includes] reimbursement,” said CSCI’s Anderson.

The Effect on IT

Another non-trivial consideration of user-chosen mobile devices is the added burden on IT. According to CSCI’s Anderson, a company’s IT staff could end up supporting hundreds of phones across multiple carriers. To avoid the overhead and added security challenges, some companies are “just saying no” apparently with varying levels of success.

“Companies need to start looking at how to protect and track their and their customers’ data on personal smartphones, [which] is a non-trivial problem,” said Anderson.

The problem is non-trivial because there are many factors to consider such as authentication, authorization, encryption, application control and management, content management, anti-virus/spyware/malware, various forms of monitoring, and other things that previously have been applied to desktops and laptops.

“It is very difficult to prevent employees from using personal mobile devices for business purposes, especially tablets like the iPad and Samsung Galaxy Tab,” Dan Levin, COO of file sharing service Box.net. “These devices are frequently purchased for ‘personal’ use but it isn’t long before the employee loads up DropBox or Box.net or some other content management service and starts uploading business content.”

To help bring order to chaos, Levin suggests qualifying and sanctioning a single service as well as establishing policies defining what content is allowed to be accessed on the devices. Similarly, some suggest limiting application access to white-listed and/or digitally signed applications.

IT departments want to ensure governance and security. But, said John Crupi, CTO of JackBe they may have difficulty achieving that goal if they do not have a platform strategy in place.

“People have been using security as an excuse,” he said. “Up until a few years ago, not all employees could remotely access email. Now they’re emailing confidential spreadsheets over cellular networks. IT has to extend existing security models into new models.”

Policy Communication, Enforcement Also Important

Security policies and the technologies used to enforce them must be complemented by clear communication so employees are aware of the policies, why they exist, and the ramifications of non-compliance. If employees are unaware of the policies they may unknowingly violate them; if they are inclined to violate them anyway, it is wise to underscore the consequences and back up policies with swift action. Failure to enforce policies renders them toothless and can expose the enterprise to greater liabilities.

In short, the influx of user-procured devices is not just an IT problem but rather an organizational challenge that requires careful consideration, thoughtful execution, and vigilant governance. If you have dealt with the issue, are dealing with it, or would simply like to sound off, we welcome your commentary.