If you are in business today, you use a mobile device regularly. Laptops, tablets and smartphones have become the mainstay of computing, just as the desktop was a few years ago. This is a worldwide phenomenon. This week while traveling on business to South Africa, I noticed that everyone has a smartphone. It’s impossible to go into an elevator, shopping mall or conference room without seeing someone tapping on a phone. I have seen this all over the United States, Europe and Asia.
Because these devices are so ubiquitous, businesses have decided to save money and be more flexible by allowing employees to use their own mobile devices at work. It lets the employee use technology they prefer, while boosting employee efficiency by delivering access from anywhere to business systems. This freedom has also destroyed the increasingly ineffective corporate network perimeter. What was once a walled garden for IT has now become the equivalent of the Wild West.
Businesses have created bring your own device (BYOD) programs that attempt to assert some control over the chaos. BYOD poses business risks, primarily around the loss of a device and the data on it. Employers often cannot assess data breach exposure on unmanaged devices, since many of the standard corporate controls are not implemented on an employee owned device.
There are two approaches that businesses can take to mitigate risk. One is to lock the devices with the same software and policies applied to corporate owned devices. The other is to lock the data to ensure that access is controlled regardless of data location.
The challenge with the first approach is to separate personal from business information. If a company can wipe my personal device, I could lose my personal information. There are also questions of regulatory compliance depending on US state or country you are in, as privacy and data breach notification rules vary. The Mobile Device Management (MDM) market is flooded with vendors offering integrated and standalone tools to manage sandboxed enterprise applications and corporate data containers, but there is a still a lot of work to be done.
A better approach is to focus on the business assets themselves and not the device. Encrypting content and applying security policies to those assets ensures the information is protected regardless of location. If a device is lost or stolen, the content is still protected. Since the content has to “phone home” to allow a user to open it, your security remains whether it’s still on the mobile device or someone copied it elsewhere. Learn more about mobile security here.
Think about a typical day trying to get work done. I download a document from my SharePoint library so I can work on it. I make some edits and copy it to Dropbox so it syncs with other devices. Later in the day, I open the document from a laptop and make some more edits. In the evening I open the document on my iPad for some review and email it to a colleague who make some edits on her laptop. She emails it back and I upload it to SharePoint.
If I didn’t apply encryption and a security policy to the document, I could have a data breach if I lost my iPad or my colleague accidentally emailed the document to the wrong person. By applying a persistent security policy to the document as I download it from SharePoint, it’s protected everywhere. The policy controls who can access the document and what they can do with it. This applies to my desktop, laptop, iPad and my colleague’s laptop. Even while the document is in Dropbox, access is controlled.
Organizations should embrace BYOD as a way to enable productivity, but look at controlling the important information that resides on those devices. Multiple layers of security, including file encryption, dynamic security policies, device PINs and multifactor authentication, ensure usability and safety.