The concept of a mobile computing policy sounds like a natural, right there next to apple pie. Yet, many companies have no mobile computing policies or policies that are clumsy or poorly communicated.
"The first-round approach for some IT organizations has been that we are just going to lock things down. That has worked to some degree, but it's clearly not stemming the tide. People want to bring these devices to work. They want to use them, and they are going to figure out ways to make that happen," said Daniel Taylor, managing director of The Mobile Enterprise Alliance Inc., a nonprofit trade group based in Wakefield, Mass.
Although personal digital assistants (PDAs) and smartphones have been around for more than a decade, a growing percentage of the available phones now come with some degree of email and Web capabilities, and corporate employees want to take advantage of those features. The popularity of handhelds is changing the rules when it comes to mobile computing policies that once focused strictly on laptops.
"When I talk to customers, they tend to have a fairly good handle on their use of laptops, and they are starting to get a handle on managing and controlling the data on those portable computers. When it comes to handhelds, that is a different story. I'm seeing a lot of companies not really clued into what they can do, and whether they should be doing anything at all," said Eric Maiwald, senior analyst at Burton Group Inc., a research firm in Midvale, Utah.
Experts agree -- the first step in establishing a mobile computing policy for handhelds is identifying who will own the devices. "That's where a lot of companies are scratching their heads," Maiwald said.
At Hologic Inc., a medical equipment manufacturer in Bedford, Mass., management made an unpopular decision to stop buying cell phones and PDAs, but to support access for two types of employee-owned devices: Research In Motion Ltd's BlackBerry and Palm Inc.'s Treo.
"We decided we're not buying phones and PDAs because they are too hard for us to track, and people can get their own devices. We have standardized on two devices, and we will help set them up with their company email," said David M. Rudzinsky, vice president and CIO at Hologic. The new mobile computing policy makes employees responsible for their own, nonbusiness phone use, and frees up the company from having to fix phones and maintain an inventory of old phones when employees leave the company. Employees file expense reports for their business-related service charges.
Once a company determines whether the organization or the employees will own handhelds, they have to look at what type of access users will have, according to experts. Which applications are appropriate? Experts agree that it depends, that each company will have to address its own needs, based on its security concerns and business requirements. Some, such as law enforcement agencies, may have to continue to ban types of mobile access, while others may open the network significantly, particularly for nonregulated horizontal applications.
However, what is important, all add, is that mobile computing policies be documented for both handhelds and portable computers. Craig Mathias, a principal at Farpoint Group in Ashland, Mass., recommends two distinct policies: an acceptable use policy -- for instance, prohibiting access to pornography -- and a security policy.
"A lot of companies don't do this, and I think, ultimately, their legal departments will insist that they do it for the protection of the company and their information resources," Mathias said.
Some other mobile computing tips from industry experts:
- Start with a simple set of policies that can be explained in plain English. The first policy should identify who is liable for a mobile computing device and the related expenses, Taylor said.
- Mathias encourages companies to not only document their policies, but also to review them with all mobile employees. "Explain how it works, and what they should do. For example, tell them if there's a security breach, don't cover it up. Immediately, whatever it says in the mobile computing policy, let the right person know so they can put into place the remediation procedures,'' he said.
- After you determine ownership of mobile computing devices and which applications people can access, that's the time to identify the appropriate security mechanisms -- antivirus, encryption and authentication tools, virtual private networks -- that you will require, Maiwald said.
- Include the business units in designing mobile computing policies; all risk management flows back to them, Maiwald added.
- Midsized and large companies should have someone on staff or as a consultant to continually examine the state of network security and the evolution of mobile computing technology, Mathias said.
- Revisit mobile computing policies on a 12- to 18-month basis, which matches fairly well with the generational changes in device technologies, Taylor said.
- User awareness extends beyond a handbook and initial training session, according to Maiwald, who recommended that IT use multiple resources in an ongoing manner, including email alerts and articles in company newsletters.
- Don't limit user training to new employees. You may find you have employees with a five-year-old handbook, so revisit mobile computing policies with existing employees, Rudinsky said.
One important thing IT must always consider is how life is different in the field, Rudzinsky said. "I tell my IT staff who are providing support to these guys to remember that it's not easy for them. They are out there, they are at home, they are alone. Actually, the thing that takes up the most time in my entire IT help desk is supporting the mobile computing workers. You don't touch these people, you can't see them. They can't stop by and drop off a machine, they can't even say come over to my desk and help me. You need to give them extra care and attention," he said.
James M. Connolly is a freelance writer based in Norwood, Mass. He can be reached at firstname.lastname@example.org.