Sprint sees mobile device security neglect

Von Robert L.

Most corporate users are unprepared for mobile device security, said Rob Kermode, general manager for customer solutions at Sprint, in a keynote speech at this week"s Wireless Security Conference in Cambridge, Mass.

"Many big companies don"t have a policy around security for mobile devices. We get requests almost daily to write those," he said. In other cases, he said, companies" policies consist of one-line statements.

PDA phone security is a big issue, Kermode said -- one that most of his business customers haven"t fully resolved. While it"s easy to make a business case for providing mobile access, most companies still aren"t prepared to manage the security complexities. Kermode said that explaining the risks to the CEO as succinctly as the benefits is difficult but essential.

Kermode cited one incident where a CEO lost his laptop, which held unencrypted data. The company estimated the full cost to replace the laptop -- and to take all the necessary measures to protect the corporate data -- at US$4 million. The angry CEO then went back to IT. "He was upset because no one told him that might happen," he said.

Kermode stressed the importance of end-to-end security, adding that PDA phone security is a brand-new territory for corporate IT. When asked whether Sprint offers two-factor authentication, Kermode said no. After his presentation, however, another company representative said Sprint would like to add the service and is about to start looking at alternatives.

Several attendees who work in government asked whether Sprint is seeing any standardization of wireless products and services across agencies. Not only is there no standardization, but "some are even using different stuff in the same agency," he replied, adding that the agency that does the best job of standardizing wireless is the U.S. Postal Service.

"You"d like to think it would be the military," he quipped.

Kermode also mentioned Sprint"s new Managed Mobility Services program for corporate accounts, which was launched in March. The service consolidates cellular account billing for all users, allows pooling of airtime minutes between those users and supports value-added services such as automated downloading of applications and data to end-user PDA phones. Today, most corporate customers still set up individual accounts for each user and allow users to pick their own devices. Kermode said the managed services plan is important for security because it centralizes control over PDA phones. "More PDAs are moving from personal to IT-controlled," he said.

Another Sprint representative who was interviewed later lamented that three quarters of corporate customers have not yet moved to consolidated plans. And of those that have, he said, most have been small or midsize companies. Even large, technology-savvy customers like IBM have thus far avoided consolidated accounts, he added.