The report – titled 'Securing Consumer Devices' – identifies a number of challenges that ITsec professionals face, especially given the fact that many smartphones and tablets were not designed for use in a business environment.
According to the ISF, the potential risks of using portable devices in the workplace include the misuse of the device itself, exploitation of software vulnerabilities and people downloading and then using poorly tested business applications.
Organisations, says the forum, also need to seriously consider the legal issues around who actually owns the device.
Delving into the report reveals that the forum's strategy is to break down consumer device security into four manageable components:
Governance – with no control over consumer devices, little or no visibility of usage and penetration, and poor knowledge of ownership, policies or compliance, organisations need to create a framework for ensuring correct and consistent mobile device security assurance
Users – with no control over consumer device working practices, users are free to mix work and personal tasks and data. Organisations, argues the ISF, need to ensure employees are aware of what constitutes good working practice for mobile devices, by creating an Acceptable Use Policy (AUP) for staff to sign. The report includes an easy-to-use AUP to get businesses started.
Devices – left unprotected and unmanaged, consumer devices are exposed to a range of potential security threats, including malware targeted at the device's OS or apps, unauthorised connections, and compromise and irrecoverable loss of data. Organisations must put in place technical solutions for securing access to mobile devices and content.
Applications and data – the provenance of most apps designed for consumer devices are unknown, and most have not undergone formal testing. Unfortunately, says the report, most users do not think about this when downloading them. Organisations must therefore ensure that apps used for business and the types of data they can access or generate are appropriate and properly tested.
Commenting on the report, Steve Durbin, the ISF's global vice president, said that consumerisation is a fast-moving trend that organisations are struggling to keep up with.
"This report provides the first detailed examination of consumer device security, the challenges and the solutions", he said.
In parallel with the report, Durbin added that the ISF is establishing a Securing Mobile Devices Special Interest Group (SIG). This will, he explained, provide a collaborative environment for members to keep on top of the rapid pace of change in this area.