The BYOD (Bring Your Own Device) wave is already upon us with employees accessing corporate applications and data via insecure mobile devices this very moment. More and more users are mixing their iPhones with business. While there is a big rush to deploy enterprise solutions that will automatically configure phones for business users, in many companies it will be some time before these are widely used and even with these corporate controls much of the overall security depends on user security awareness.
Note that an important component of the grading system is the context. An employee at a U.S. Nuclear Missile site has greater security requirements than Joe User. However, a key area of risk for iPhones right now is that Joe User has an iPhone and then gets a job at a missile silo. It's environment creep: Joe brings in his iPhone, then he texts, and reads email on his phone. Then Joe starts reading confidential email ("Joe here are the new missiles launch codes") and stores it on his phone, then he installs the enterprise gateway remote access software on his iPhone, and so on. In our experience users are accessing corporate resources, regardless of policy and access is widespread. So while no grading system is perfect, we feel that some of the basic settings identified here can vastly improve the security in most situations and also move forward enterprise employee security awareness training at the same time.
The free version of SYOD is aimed at individuals. However, IT departments could ask employees to run this on their phones before they are allowed to access company email via their iPhone. This can be considered a mid-market transitional approach for organizations that have not yet deployed or identified a suitable enterprise mobile device management platform, or organizations interested in user awareness training around mobile devices.
Questions, comments, feedback. Email us at: firstname.lastname@example.org.