Security in an increasingly mobile environment
A variety of devices, including laptops, smartphones, and tablets have made mobility possible, and the growing Bring Your Own Device (BYOD) trend is now regarded as the next step in mobility. Although the BYOD phenomenon provides many advantages to the business user (and the business), it also introduces a number of threats, particularly to the corporate network.
A strategic security plan is vital, one which includes all mobile devices into policies and incorporates the right solutions to help organisations leverage the benefits of BYOD while minimising risk and protecting valuable business assets.
Mobility has changed the business world dramatically. Where once, bringing your own device onto the corporate network was strictly forbidden, this practice is becoming increasingly common, with both smartphones and tablets being used for both work and leisure activities, and gaining access to corporate data. The reason for this change in mindset is simple - mobility equals greater business agility, which in an ever-increasing fast-paced business environment, is the key to creating a competitive edge.
Mobility helps to increase productivity with the ability to work "on the fly" and, furthermore, employees know how to use, and enjoy using, their own devices. In addition, BYOD can help to reduce capital expenditure, as employees are already paying for these devices themselves, and typically take better care of their own equipment than they would something that was work issued. The growth of this trend is evident - Symantec recently conducted a survey in which it was established that 65% of surveyed companies give employees network access through their own devices; 80% of the applications these employees use are not based on-premises, but in the cloud; and 52% regularly use not one, but three or more devices.
A number of new challenges
BYOD, while it can be highly beneficial, can also bring a number of new challenges, specifically around security. Exacerbating this is the large portfolio of devices connecting to the corporate network, many of which the organisation does not own and cannot control in conventional ways. This opens the door for security threats including device loss and theft, the loss of data, data leakage, malware as well as Wi-Fi and wireless threats. Studies show that businesses are losing significant amounts of money in incidents relating to mobile devices. However, the risks are often thought to outweigh the benefits, and in order to counter this threat it is critical to implement comprehensive security measures.
The first step in tackling the BYOD challenge is to understand how users interact with their mobile devices and what behaviours put corporate networks at risk. Many users of tablets and smartphones synchronise their data to at least one public cloud service, as well as their work and home computers. This can lead to sensitive data being stored in unsecured locations, as well as risks such as corporate emails being sent through personal accounts or file-sharing sites.
Managing this risk requires a mobile strategy to be defined. The first stage of this is to develop clear objectives as to what should be achieved by BYOD, whether this is to increase efficiency, improve productivity, drive revenue growth and so on. This then sets a benchmark, which can be measured against. It is also essential to define the ultimate scope of the mobile business plan, the opportunities, risks and threats and the impact this will have on infrastructure. Sensitive data should be secure cross-functionally across all mobile devices and access points.
Ultimately, mobile devices are just another end point - they require management, configuration and policies, and should therefore be integrated into existing systems management. Implementing separate point solutions only adds unnecessarily to the complexity of IT. Mobile devices, as end points, require the same protection and attention as PCs, and many of the processes, policies and technologies that are leveraged for desktops and laptops can also be applied to mobile. Unified policies and solutions will ensure that the management of mobile devices is integrated into the overall IT management framework for greater effectiveness and reduced complexity.
Comprehensive security
Security around mobile devices needs to be comprehensive, going beyond basic password, remote wipe and application blocking policies. The focus should be on the information, where it is viewed, transmitted and stored, and on integration with existing data loss prevention, encryption and authentication policies to ensure compliance with corporate and regulatory frameworks.
In addition to setting strategies and putting policies in place, there are also technology solutions that can assist organisations with supporting and securing BYOD. Mobile Device Management (MDM) solutions enable the remote administration and enrolment of managed mobile devices, ensuring that security policies can be enforced to prevent potentially risky behaviour. Security operations, such as locating and remotely wiping lost or stolen devices, can also be performed. By enabling the remote configuration of mobile devices, organisations can help to eliminate the introduction of malware and limit resource abuse, integrity threats and data loss.
Mobile Application Management (MAM) is another tool that can be used instead of, or in conjunction with, MDM. MAM provides software and services that simplify the creation of internally developed corporate mobile applications. For organisations, a corporate app store is a key tool in providing secure and correct access to mobile apps, enabling organisations to define policies per application, rather than per device. This tool can also be used in combination with MDM, depending on the business, its needs and its objectives.
Mobility is here to stay and organisations need to manage the risks of BYOD effectively, so that they can take advantage of the benefits it delivers. Understanding each of the threats associated with BYOD, and using available tools to assist with management and administration, will allow organisations to implement the correct security protocols and policies to ensure data protection, and mitigate against a variety of other threats.