Handheld Device Security Could Cost More than the Device

Burton Group, a research firm focused on in-depth analysis of enterprise infrastructure technologies, published a research report evaluating enterprise handheld device security. Among the security issues researched is the cost to secure devices such as personal digital assistants and smartphones.

In the research report, "Handheld Device Security," analyst Eric Maiwald calculated that the list prices for a complete set of security products (antivirus, VPN, device security, and management) can be higher than the cost of the device itself. However, Maiwald questions whether all uses of handheld devices require a complete set of products.

"Organizations should perform a risk assessment of any handheld device installation to determine the types of security mechanisms that should be installed on devices and whether the cost is justified by the risk to the organization," said Maiwald. "In some cases, products overlap so that one product may suffice. For example, it may be sufficient for an organization to use a management product to manage the authentication on the device."

According to the report, all of the antivirus vendors and most of the management vendors sell products for both desktop systems and handheld devices.

Burton Group recommendations:

Match Communication Capabilities to Intended Use:
Handheld devices have a number of communication options, not all of which may be necessary. A device that is used to take orders in a distribution company may not need WLAN or WWAN connectivity if the orders will be synchronized when the employee returns to the organization's facilities, and will therefore not require a device firewall.

Extend Existing Products Wherever Possible:
Most large organizations have management systems and security mechanisms such as VPNs, antivirus solutions and file encryption products in place. If these products are able to manage and protect handheld devices, they should be extended by the organization instead of purchasing new products specifically for the devices.

Alternatively, rather than managing devices in house, an organization can work with a network operator that provides device management as a service. In most cases, this option is only open to organizations that choose devices with WWAN capability. As these devices become more prevalent, network operators are likely to offer greater services in terms of asset tracking, software management, and configuration control.

Fill Gaps After Comparing Risk and Cost:
Management products may provide sufficient protection for lost or stolen devices to make the use of security products unnecessary. However device security products generally provide richer authentication and file encryption functionality than do management products, so the organization should determine the risk associated with the compromise of sensitive information on the device.