Wouldn’t you know it? Once you’ve finally nailed down security, rolled out all the security devices and software your CIO recommended, and got all your people on board with a set of best practices and policies, now you have to worry about email security on mobile devices.

Once the bane of IT managers everywhere, mobile devices are here to stay. Securing your perimeter is no longer enough, because the perimeter is constantly changing—and the enterprise has gone virtual. There are no more walls around the corporate boundary, and workers everywhere, at all levels, are using mobile devices to access their corporate email.

We’ve had PDAs for some time in the corporate world, like the BlackBerry, and now, mobile phones are gaining more and more functionality. Soon, the “standard” cell phone will include a lot more than just phone calling capability and a few games—users will be looking for extra features like email capability, even in low-cost mobiles. The popularity of consumer-oriented devices like the Apple iPhone will also spill over into the corporate world, as workers come to expect this level of functionality at the office as well. But when corporate email goes mobile, there are a different set of rules, and email managers must get their people on board with a new set of policies. And the first thing to realize is that these enhanced mobile devices are no longer just mobile phones—and they are potentially vulnerable to many of the same attacks as any other network.

The National Institute of Standards (NIST) has just released a document, titled “Guidelines on Cell Phone and PDA Security,” which gives you an excellent starting point. The document, available on NIST’s web site at http://csrc.nist.gov/publications/drafts/800-124/Draft-SP800-124.pdf, provides plenty of valuable information on securing these devices. And while viruses, spam, Trojans, and phishing attacks will become an increasingly major worry on mobiles, some of the greatest worries are loss and theft, and electronic eavesdropping. And unauthorized access is often far too easy on mobiles. You may have rigorous authentication protocols in-house, but when workers take their mobiles with them when they walk out the front door, they may overlook those protocols, neglect to enable passwords, or use passwords that are easily guessed (or simply keep the default password). The report also notes that mobiles can be vulnerable if they are incorrectly configured, and configuration management should extend to mobile devices.

Mobile malware, and spam in the form of text messages, email, and voice messages have already begun to appear. The NIST document goes into detail about precautions, but the basic key guidelines from the document are as follows:

• Organizations should plan and address the security aspects of organization-issued cell phones and PDAs
• Organizations should employ appropriate security management practices and controls over handheld devices
• Organizations should ensure that handheld devices are deployed, configured, and managed to meet the organizations’ security requirements and objectives
• Organizations should ensure an ongoing process of maintaining the security of handheld devices throughout their lifecycle.