An editorial in Processor tackles the issue of mobile phone security in the enterprise, and makes some excellent points that are highly relevant. With smartphones becoming standard-issue equipment in both business and social worlds, IT managers have to face up to the fact that they have to do something to keep control over them. Unfortunately, controlling smartphones is a little tricker than controlling laptops. While it’s common for employees to use company-issued laptops, it’s more likely that employees will be using their own smartphones, and will therefore have an attitude that they can use them as they please, download what they please, and email as they please.

One very good point is that smartphones do not need to have the same level of access to the intranet as a laptop, and firewall rules should be created to offer a more constrained approach to smartphone access. In most cases, employees (at least the ones that aren’t up to any good) will only want and need a very limited subset of services from their smartphones compared to what they might need from a remote laptop.

One of the biggest advantages of the smartphone is that it gives us the ability to check and send email from anywhere. Microsoft Exchange’s default setting allows all mobile devices to retrieve mail on the corporate network, although this can be restricted so that access is granted on an as-needed basis.

According to the article, email and Web browsing are the two biggest areas of smartphone technology that require a secure approach to network access. Securing email from a smartphone is actually fairly straightforward, since the email passes through the mail server and it can be secured from a centralized standpoint. That is, unless you have rogue employees using Yahoo for company business (or state governors, as the case may be), but policy against this should be made very clear from the beginning. And of course, it goes without saying that there should be some encryption in the mix.

Another thing to consider is theft. If a smartphone is stolen, and has not been configured with security in mind, the thief can easily access the owner’s email account, and this could lead to a dangerous breach or theft of information. A policy that requires a password to be entered manually before accessing email from the corporate email server would prevent this in most cases.