Today’s organisations need to place more emphasis on how they manage all manners of devices, as opposed to debating whether to have a BYOD or corporate supplied mobile device. BYOD is now dying and the term BYOx (bring your own everything) is better placed to describe this phenomenon and IT managers have more important concerns to be addressed as a result of the change.
For example, organisations need to decide on whether they provide devices to all employees, some employees (e.g., managers and executives) or no employees? Questions that need addressing include, how do user-owned devices connect to the network? How do you ensure personal and corporate data separation on a mobile device? What about company-owned devices and who owns, and thus has free access to, the data stored on them? And what happens when a device with company data or the ability to connect to the company network is stolen?
The answer is a comprehensive mobile device management policy. IT managers need a simple way to add and remove data, and importantly they require network access from the mobile devices. Another essential component is the ability to safeguard enterprise data through two-factor authentication and sandboxed applications.
Corporate supplied mobile device vs. BYOD
Supplying some or all employees with the mobile devices they need is the fastest way to resolve security issues: the phone or tablet is completely under the control of your IT department., can be locked down to corporate use only, and can be wiped on demand if required.
Drawbacks include the expense and the employee’s degree of understanding that the device is not theirs. Initial awareness that it’s a corporate device is high, but the longer it’s in someone’s possession, the more they tend to forget. This can lead to confusion, with non-business contacts, photos, etc. ending up on the device and potentially problematic downloads (e.g., games that may not be benign from a security standpoint). Data confusion in itself can lead to privacy concerns and with the introduction of new controls such as the European GDPR proposals, companies to have well thought out policies in place to manage these devices.
One problem is that most companies’ corporate IT policies were written so long ago that they don’t cover today’s working environment in which employees regularly access enterprise systems from home and the road, sometimes from multiple devices. The best way to mitigate risk around supplied devices is to have users read, understand and sign a comprehensive policy that outlines who owns the device, what use is allowed, what is not allowed and the consequences for not following the company’s rules.
[easy-tweet tweet=”There is a multitude of potential security and data management pitfalls” hashtags=”Security, BYOD”]
Advantages to having employees use their own devices for work include potentially lower costs and convenience for employees, such as not having to carry two devices.
However, there is a multitude of potential security and data management pitfalls. The company email system and enterprise systems must be securely accessed, company data on the phone must be secure and strict data migration policies must be in place (i.e., don’t transfer company data to an insecure location). Finally, the company must be able to lock and then wipe the device should it be stolen.
Security Issues – Malware and Phishing
There are two main security issues with mobile devices: malware and phishing. Protecting against phishing is, first, a matter of employee education. Although it’s sometimes difficult to identify a phishing message (the email may appear to come from the employee’s legitimate contact), making employees hyper aware of abnormalities in emails can go a long way toward reducing risk.
Protecting against malware is strictly the responsibility of IT—often, the user is unaware that their device has been infected. It’s essential to use a robust threat detector and to keep devices updated with the latest OS, the latest patches and strong anti-virus applications. This requires enforced application deployment and monitoring as well as automated patch management across the device estate.
Here are further steps to consider:
- Use an identity access management solution that provides two-factor authentication. This prevents thieves from using a cached password on the device from accessing your enterprise data.
- Move to encrypted email, since cloud-based email is a prime target for thieves looking to capture sensitive data.
- Create and maintain access control lists that define which users, devices and apps can access which areas of the network, thus limiting the areas a compromised device can access.
[easy-tweet tweet=”Sandbox as many applications as possible ” hashtags=”Security, BYOD”]
Sandbox Applications
An excellent way to protect mobile devices, regardless of who owns them, is to sandbox as many applications as possible – securely separate them from the operating system as well as other applications. For example, instead of using the mobile device’s built-in email application to connect to corporate email, IT installs a sandboxed email application. The app lets the users read and respond to emails online rather than downloading email onto the device. Access to mail can be controlled remotely, and the application can be disabled or removed on demand.
There are currently sandboxed applications for contact databases, email and documents. The uses are different, but the principal is the same: access data/documents online, so they are never downloaded onto the phone. The download and security of sandboxed applications happen via a mobile device management solution that allows IT to easily delete the apps from a corporate or personal device if lost or from a personal device when someone leaves the company.
Wipe Data
The ability to delete business-related apps from an employee’s personal device and to completely wipe all data from a stolen device is essential to every company’s security. It’s critical to set up procedures that consider every circumstance, including:
- An employee’s personal device with company data/access on it was stolen
- An employee’s corporate phone was stolen
- An employee gives notice: IT needs to ensure he/she no longer has access to company systems after last day of employment
- An employee with a personal device used for business suddenly leaves the company
- And the big one – the children of an employee cannot accidently access or delete corporate data when given the phone to play games on.
Outcome
Today’s technologically complex, highly mobile world dictates a multi-pronged approach to mobile device management that includes:
- A flexible, frequently reviewed mobile device management policy that is understood by all employees
- A strong mobile device management system that lets IT quickly and easily act in the case of a security breach or device theft
- Protecting enterprise systems by using sandboxed applications on mobile device
Ian van Reenen, Vice President of Engineering and Endpoint Products, Autotask
Ian is responsible for driving the roadmap, development and delivery of all endpoint products at Autotask.
Prior to Autotask, Ian was the founder and CTO for CentraStage, a remote device management solution. He led product roadmap development and managed the development team. He also secured key operational sales and ventures. Autotask acquired CentraStage in September 2014.
Ian attended the University of KwaZulu-Natal, Durban, South Africa and studied Business Information Systems and Economics.