Many small businesses have blanket bring-your-own-device (BYOD) security rules for employee smartphones and tablets. However, one-size-fits-all policies may not be the best way to go.
In fact, some experts say that it might be best to create separate BYOD policies for Apple's iOS platform and Google's Android platform, because the latter has so many more security issues.
"This is really a tricky issue for most organizations because, in some cases, they're not all that comfortable or familiar with an Android necessarily, at least when they're being used in corporate settings," said Christian Kane, enterprise-mobility analyst at Forrester Research Inc. in Cambridge, Mass.
"Most companies have started with iOS," he said. "When they think of Android, they think of it as inherently less secure, and they think about what it would take to have a baseline of security across all devices."
Controlling who gets on the network
Many companies believe that separate polices for each operating system would increase their overhead, Kane said, so instead they have policy requirements for each new device rather than allowing all BYOD devices.
"It will be more controlled —they'll say, 'We'll only support or allow certain versions of iOS and certain versions of Android,'" Kane said. "Because of what they have from a security standpoint and a management standpoint, that [requirement] will allow companies to have a single baseline for security across the board."
Tech-market analyst Rob Enderle agreed that businesses should select which Android phones they'd allow. The Android platform is so badly fragmented, he said, that workers shouldn't be allowed to bring in any Android device they'd want.
"You have to have them bring in the versions of the operating system that you have validated to work with your stuff," said Enderle, principal analyst for the San Jose, Calif.-based market-research firm Enderle Group. "There are probably some unique requirements that should surround Android because it has been found to be so unsecure."
Enderle said one additional constraint imposed upon Android users might be to have them agree not to use side-loaded applications, which come from outside the official Google Play app store.
"Youhave to ensure that users only load approved apps, and that they're working off a whitelist [of approved apps] as opposed to a blacklist" of banned apps, Enderle said.
Because Android isn't locked down by Google to the extent iOS is controlled by Apple, businesses have to be sure that users are running anti-virus software that will protect their Android phones.
"Any lockdown requirements have to be met before the phone has been used in the wild by the user, to make sure that no rootkits [powerful forms of malware] have been installed on the phone," Enderle added.
The typical company policy requirement tends to favor using a Samsung-made Android phone, because Samsung has put its own security technology on top of the Android operating system in an attempt to make its devices safer, Enderle said.
"The Apple phones, because they're already locked, the only specific policy is that [they] not be jailbroken," Enderle said. "But with Android, because it really doesn't have to be jailbroken to do all this stuff, you really have to place a series of unique restrictions on it so that it doesn't become contaminated with malware."
One of the problems, though, is that it's not always easy for companies to be sure employees are complying with policy requirements.
"You can put management software on the phone," Enderle said. "Strangely enough, the Blackberry [security-management] software works on an Android phone."
"A lot of companies have just been banning Android, but I'm not sure that's practical long-term," he added. "You can certainly push the user to a more secure platform, like LG's or Samsung's, and then make sure that they understand that there are rules in place so they know what they're not allowed to do."