Fortunately, organizations today aren’t using those technologies for mobile devices, he said.
“The good thing is that most enterprises started off with mobility as a brand-new thing,” said Zumerle, co-author of the updated report “How Digital Business Reshapes Mobile Security.” So they bought new mobile security systems to manage and secure their employees’ devices.
The most common one organizations use today to enforce mobile security policies is enterprise mobility management (EMM), which monitors mobile devices and controls employee access to applications. Zumerle said the vast majority of Gartner client organizations use an EMM tool.
A minority of organizations, “for a number of internal reasons — usability, technical reasons — do not want to manage devices,” Zumerle said. “It’s a slightly different approach. Instead of trusting the device, they are trusting parts of the architecture.”
Organizations that choose to “unmanage” devices may pack their email contacts, calendars and business applications into a mobile container and “make sure that container stays safe from any sorts of attacks.”
The personal applications employees use would be outside the container; the advantage is they are isolated from the company-sanctioned business apps, Zumerle said.
Or organizations can set up an enterprise app store. There, employees can browse and download approved applications. Some basic detection programs would be run on the devices workers download apps to — to check whether the devices were “jailbroken,” or had software restrictions removed, or otherwise compromised.
“You would have those sorts of things, but you wouldn’t impose a device-wide enterprise policy,” Zumerle said.
Just the basics
A third category of organizations don’t have proper mobile security systems — but they do impose the most basic security on devices used by their workers. They may use Exchange ActiveSync, a Microsoft protocol that lets users access email and contacts from their employer’s Exchange server. It can be used to impose security on mobile devices, but it’s bare-bones.
“You basically can force a very basic policy onto the device in terms of passcodes encryption and so on,” Zumerle said. “There’s a portion of the industry right now that are still at that stage, where they’re using that basic protocol for some basic management of the device.”