Most organizations have allowed employee mobile devices to become key parts of their IT infrastructure, whether they formally acknowledge it or not. Here are four ways companies can revisit their mobile security policy to acknowledge the role of Bring Your Own Device (BYOD) in enterprise security management, mitigating the risks while still providing employees flexibility and freedom.
1. Recognize Employee-Owned Devices
In today’s enterprise landscape, some staff have subsidized company smartphones, but the vast majority bring their own device and use it as part of their day-to-day work. For companies that don’t have a large number of corporate-issued devices, BYOD must be central to the policy development process.
Mobile security policies should be written to acknowledge that most staff members will use their own devices, and the organization and its employees must work together to manage security risks. The policy should address the reality of shared management between IT and end users, and define the minimum requirements for devices. For example, disk encryption, effective passwords or biometrics, and remote wipe capability are the bare minimum for access to corporate networks.
2. Revisit Heavyweight EMM Strategies
Enterprise mobility management (EMM) tools have promised a large set of features, but often at a high cost in performance and footprint on the device. Mobile devices are faster and more capable than ever, but they still have tight budgets for power, CPU and memory. Security policies with long laundry lists of features based on the EMM tool capabilities need reexamination, especially in an environment where BYOD users may resist heavyweight EMM. Since employees often pay for their own devices with this model, they may push back on installing large, potentially restrictive programs.
Devices dedicated to a particular application or function benefit from heavyweight EMM. For everything else, that aggressive EMM strategy may do more harm than good, especially if end users skip EMM agents entirely because of performance impact or convoluted security workflows.
Experience has shown that the major security risks of mobile devices come from theft or loss, as well as human and application errors. Compromised devices, malware and other obscure attack vectors are less common.
With this in mind, IT managers should configure EMM to mitigate the biggest threats: What happens if a device is lost or misplaced? How can we reduce the likelihood that a user will be phished? How do we update devices and applications in a timely way?
Adjusting your mobile security policy to reduce the footprint of EMM will increase end-user satisfaction and compliance. This lets the IT team focus on true threats rather than spending time debugging EMM complaints.
3. Use the Cloud and Containers to Solve Security Problems
Although not every mobile device will have cloud connectivity at all times, most devices will have internet access on an ongoing basis. The internet becomes a conduit between the device and your data center, and this connection can solve some security problems. Many mobile device vulnerabilities can be mitigated using internet-based services, and mobile security policies should be updated to reflect the easy access to high speed, inexpensive internet services in most parts of the world.
With the pricing for mobile data consistently dropping, there is no longer a need to be so concerned about data usage. One common concern is enterprise data that might collect on a mobile device needs to be protected. A cloud-based backup solution that saves enterprise data when Wi-Fi is available will shrink the window of vulnerability and mitigate security risks.
For data too sensitive to be downloaded to a mobile device, a combination of cloud-based access and smart caching can give mobile users access to important applications without significantly increasing risk. By keeping most of the data off of the mobile device, the potential that a large enterprise dataset will be exposed when a device is lost is greatly reduced.
Where possible, adjust mobile applications and security policies to avoid data storage. Your smartphone platform may have containers that can separate work from nonwork data, such as Samsung’s Knox Platform for Enterprise or Secure Folder, and these can help protect data stored on devices.
Policies should also include authentication guidelines. Data moved to the cloud may be protected against loss, but if the mobile device has unfettered access, then the device has to be guarded from unauthorized use more than ever. With various types of authentication — including PINs and biometrics — companies can add an extra layer of security that is easy for employees to use on their devices.
4. Focus on the Greatest Risks and Provide Feedback
Now that you have years of mobility experience, step back and subdivide the user community to isolate the riskiest users. Many users will be happy with basic collaboration tools and intranet access. Protecting these users and mitigating the threats to their mobile devices is a pretty simple task. Others who have direct access to databases, travel with sensitive data or are running specialized applications, represent a different risk profile and will require more attention and focus.
Handle low-risk users differently from high-risk users in your mobile security policy. A one-size-fits-all policy really means one-size-fits-nobody, so adjusting your policy to account for different user classes meets both user and IT needs at the same time. When developing user class criteria, consider:
- How often are users accessing corporate data?
- What types of data are being viewed?
- Are users seeing data across multiple devices?
- Are parts of their job prohibitive to certain authentication methods?
When reviewing mobile security, use the experience you have to feed back to application owners. Traditional enterprise applications can be made “mobile aware” to provide different security views from different locations or devices. For example, blocking mobile access to especially sensitive parts of your intranet reduces the risk of accidental exposure by mobile users.
Keeping these four considerations in mind can not only help you effectively manage your IT strategy in a BYOD environment, but can also help establish a flexible infrastructure that is able to tackle all levels of security threats.