It's an unstoppable trend: Employees are bringing their own iPhones, iPads, and Android devices to work and using them for business purposes. While that may be great for productivity, the influx of personal smartphones and tablets in the workplace can pose a significant risk to your organization's security if you don't have a strategy for dealing with these new threat vectors.

For most companies, simply banning personal mobile devices is not a realistic option. Today's business realities compel IT departments to accommodate personal mobile devices, despite the risk they introduce – but that risk needs to be managed effectively.

Mobile security risks tend to fall into two broad categories: Device Risks and App Risks.

  • Device Risks stem from the fact that mobile devices are a new class of powerful computer with massive local and cloud storage capabilities, over which organizations typically have far less control than traditional desktop PCs or corporate-managed laptops.
  • App Risks arise from employees installing third-party mobile apps that interact with corporate data stored on the devices, or with your back-end systems. Risks can also arise from mobile apps that your own company develops for employees or customers, as security vulnerabilities may cause these apps to compromise your network or data.

Step 1: Minimize Device Risks with Mobile Device Management Solutions

For a simple yet vivid example of the device risks introduced by an employee-owned phone, just consider the likely scenario of an employee upgrading from an iPhone 4 to a 4S, says Michael Davis, CEO of IT security consulting firm Savid Technologies:

"There will almost certainly be corporate information on the old phone, and the person who that phone is handed to is not trusted," Davis says. "There is no corporate control over the change whatsoever, and that is certainly not what most organizations are used to dealing with."

Think about it: When employees are given free rein on the corporate network with their mobile devices, there is a significant potential for corporate data loss any time a phone is lost, stolen, or even simply sold or exchanged.

What this means is that the very first step any company should be taking is deciding not whether but the extent to which mobile devices will be permitted.

"You need to classify your data, and decide what mobile devices should be allowed to access," says Michael Smith, a senior manager in Symantec's security business practice. "You can't ignore this kind of attack surface and allow it to go unmanaged."

Bill Hau, VP of worldwide professional services at McAfee, agrees. "Employee-owned smartphone access to the network is probably inevitable, so the question is how do you take a risk-based approach to it? You have to ask yourself what you are going to allow. Just email? What other applications?"

As soon as organizations begin to consider limiting access to some applications and controlling what happens to the data that is stored on mobile devices, the need to bring those devices under some form of corporate control becomes clear. Inevitably, that means investing in a Mobile Device Management (MDM) platform that can control which devices can access specific applications on your network. An MDM solution can also carry out activities such as:

  • device provisioning and configuration
  • software distribution
  • encryption and password management
  • remote wipe and lock

In practical terms, that means employees can continue to use their personal or corporate-provided devices for business purposes, provided they agree to allow their device to be managed by the MDM solution.

"An MDM will certainly help you manage risk," says Davis of Savid Technologies. "There is no way to do risk management of mobile devices by hand. There are simply too many different security knobs to turn and different users to deal with in most organizations."

Symantec's Smith concurs: "This is like the problem that laptops posed ten years ago – only ten times worse. The only solution is to configure mobile devices automatically," he says.

Some of the most well-known MDM vendors and products include:

Next page: How to reduce security risks introduced by app downloads.