According to Our Mobile Planet, the United States is currently experiencing 31% smartphone penetration, second only to Australia at 37%. And they also state that 53% of Americans get online via smartphone multiple times per day, second to Japan at 68%. Okay, we get it, we’re addicted. The first step is to admit you have a problem, right?
Seemingly everybody has a smartphone and these devices are obviously used while in the workplace. Tablets are brought in, as well. These consumer devices present a security risk – no doubt about it. What are you going to do about it?
You first have to know what you’re up against, and then what stance your company is going to take. I spoke with three experts on this subject: Don Gray, chief security strategist for Solutionary, Jon Heimerl, director of strategic security for Solutionary, and Mike Dillon, CTO for Quest. Here’s what they say you need to be doing in order to not lose control of your company’s security when it comes to personal mobile devices.
Top Security Concerns
CIOs have the brunt of the challenge when it comes to security for personal devices brought into the workplace. According to news announced yesterday from International Data Corporation (IDC), “CIOs are struggling with the growing number of devices infiltrating their enterprises and must balance the acceptance of these devices with securing and managing corporate assets and keeping user in compliance, while respecting privacy issues.” The news report states, “While more than 80% of enterprises surveyed are planning to spend the same or more on mobility in the next 12–18 months, surprisingly few companies have developed effective mobile policies to address BYOD (Bring Your Own Device).”
Jon Heimerl lists the following as top security concerns for enterprises:
· Influx of malware and viruses: “Regardless of how alert an employee is about their own privacy and security, they are not worried about HIPAA or PCI (Payment Card Industry) compliance on their personal portable devices. The introduction of personal devices into an organizational network will be accompanied by an associated influx of viruses, Trojan horses and other malware.”
· Company information being downloaded on personal devices: “Invariably, organizational information makes its way onto personal devices. This can be as simple as a phone list, or could include email and company files that contain sensitive corporate information, or cached information from the internal organizational network. Data can easily leave the organizational network en masse.”
· The potential to compromise company audit and compliance requirements: “Since the organization may not have control over the device, and the device can include private corporate information, the devices can quickly compromise organizational audit and compliance requirements. CIOs need to think about if private healthcare information or credit card information has migrated onto a personal device. And if so, do they have a way to ensure that it is properly protected to meet compliance requirements?
What’s Your Official Stance?
Heimerl states that companies need to have an official stance on mobile devices. Three options to consider are:
· Personal Device: “Employee buys it and supports it, and is fully responsible for complying with organizational policies and requirements.”
· Approved Device: “Employee buys a device that has been approved by the organization. The employee gives up administrative control and the organization manages security of the device.”
· Organizational Device: “Organization buys and provides the mobile device, and authorizes the user ‘appropriate personal use’ of the business device that is owned and managed by the organization.”
Each option comes with its own set of headaches, bureaucracy, conformity or lack thereof and compliance from the employee.
So you have an official stance on mobile devices – how do you make sure employees are adhering to it? Don Gray and Mike Dillon offer these suggestions:
· Thoroughly train employees: “Train everyone in your policy and appropriate controls. This should include the employee’s right to privacy, as well as the organization’s right to protect information, and the employee’s responsibilities and obligations to protect organizational information, regardless of what form it takes or where it resides,” said Gray.
· Control mobile data: “To ensure security compliance, an organization will need to control what data a mobile device can access. All connectivity is included in this process including work email, applications, CRMs, shared drives and data policies between an organization’s partners and customers,” suggests Dillon.
· Find tools that fit your business: “Just as you shouldn’t rely on mere policy and training, carefully evaluate the actual capabilities of mobile device configuration and management tools. Find tools that best fit your organization’s technical capabilities, controls and employees. Strongly consider partnering with a 3rd party provider that can help with the evaluation, configuration and on-going monitoring and management,” said Gray.
If a company is aware of the risks that threaten them, they can better protect themselves from security threats. Your company is unique, and so are your needs in mobile security. There isn’t a once-size-fits-all answer to this fairly new phenomenon. I’d love to hear how you’re addressing this issue in your company.