It wasn’t too long ago that Apple was a mere blip in a Windows-dominated world. At least its modest market share meant Apple products flew under most cybercriminals’ radars.
But now that Macs are hot again, we’re hearing more about malware attacks like the MacDefender scareware. And with Apple’s monstrously successful iPhone and iPad product lines, there’s a growing concern that these iOS devices could also be an obvious target for tech-savvy thieves — and pose a threat to an entire corporate network.
Should you ban consumer devices?
Before allowing iOS devices into the organization, IT must educate employees about the risks, use tools to safeguard company data and develop policies that can reduce the odds of a security breach. Or should you just ban consumer devices altogether?
“Your company should not develop policies that exclude iOS devices,” says Kevin Sterneckert, research vice president at the Gartner research and consulting group, based in Stamford, Conn. “Your employees are going to use these devices with or without permission. And with the latter, it could expose your network to major security breaches.”
In fact, allowing users to choose the device they want has its benefits. “It could be less expensive for the company if they’re not paying for a device,” adds Sterneckert, “so we’re seeing more of a ‘You bring the device, and we’ll provide the service’ kind of scenario in the workplace today.”
What you can do
Sterneckert says there are three behaviors every company should adopt:
- Require passcode usage. Your end users should use the four-digit PIN on the iPhone and iPad, plus an auto-wipe option that deletes data after a few incorrect login attempts.
- Encrypted backup. Make sure you’re using this added layer of security on the local workstations to which the iOS devices are connected. “This will protect and secure all data on the device,” says Sterneckert.
- Use Find My iPhone. Ensure the Find My iPhone service (free) is enabled, so a lost or stolen device can be located remotely and/or wiped clean.
Microsoft Exchange ActiveSync is also recommended for email. “The challenge is to make sure you put the right guardrails around environments, like email and Web use, that include the right permissions, certificates and keys,” says Sterneckert. “Apple has done a great job at that.”
The importance of usage policies
IT departments should also create policies based on the company’s needs and/or industry’s regulations. Make sure people understand their importance and why they’re in place. For example, it’s possible to limit the downloading of applications from iTunes, disable the iPhone or iPad’s cameras or curb corporate Wi-Fi use for personal reasons.
It is incumbent upon businesses to develop these policies, but it’s not yet highly prevalent among small and midsized businesses, says Tim Bajarin, president of Creative Strategies, a firm based in Campbell, Calif., that provides industry analysis for the tech sector.
Bajarin estimates that less than half of small businesses have formal IT policies in place. “Even when they do, they struggle to enforce them, given the mix of corporate and employee-owned devices across multiple platforms and device categories — although there’s policy management features available through mobile email servers,” he adds.
But not only should you establish a usage policy, you need to offer periodic reminders and education about the security risk too. “These policies should also encompass use of employee-owned devices to access company data — things like mandatory password use, reporting lost/stolen devices or data and avoidance of removable storage are the bare-bones minimum,” says Bajarin.