Bring Your Own Device, or Disaster?
The increase of employees using their own mobile devices for work purposes has led to a number of new challenges for businesses, in particular keeping devices and the data within them secure. When employees bring their own mobile devices to work, risks inevitably rise. However the flexibility, efficiency and productivity gained from a successful Bring Your Own Device (BYOD) strategy makes it worthwhile if the risks are managed appropriately.
What are the risks?
In simple terms, smartphones and tablets can act as a storage device, exactly the same as storing data on a USB stick. This can be very dangerous for businesses, especially if a device is lost, stolen or simply falls into someone else's hands and hasn't had a Mobile Device Management (MDM) solution installed. In addition to emails and files, smartphones and tablets also have the capability to access more detailed information via CRM or other database applications and services, putting sensitive data in jeopardy. In 2014 a staggering 68 percent of UK businesses suffered a security breach from work mobile phones due to not implementing the right security solutions, proving that this is an issue that can't be ignored.
Loss of data can be damaging for businesses, but what about personal client data held within emails and files, such as confidential staff information and business sensitive information. All of the data you hold must be protected under the Data Protection Act (DPA), this includes data stored on all portable media, in this phones and tablets are often overlooked. A good example of this is when BBC News political editor, Nick Robinson, lost his phone while watching a Manchester United game. The loss was treated as a serious security breach by the government due to the phone being believed to hold a large number of personal contact details for key political figures, including the prime minister and the majority of the cabinet. It was found that there was no evidence that the data on the phone had been compromised, however, this isn't something that should be taken for granted.
According to Home Office figures, around two million mobile phones are reported as lost each year. Around 1.3 million of these devices are eventually discovered by the owner, usually in a place around the home or in the car, the last place we look. However, this still means around 0.7 million could have fallen into someone else's hands, a worrying number.
Within the DPA, the protection of personal client data is paramount. The Information Commissioner's Office (ICO) is responsible for enforcing this in the UK and the ICO now has the power to issue monetary penalties up to £500,000 for serious breaches of the DPA. Since April 2010 many penalties have been enforced with an increasing number being applied to data loss on portable media (USB drives), as already mentioned this includes the same data being stored on smartphones and tablet and the possibility of their access to further data via company databases (via VPN/CRM).
How can risks be managed?
Businesses that rely on sensitive data need to take the time to plan how they will prevent the loss of corporate data if a device is lost or stolen. Password protection is extremely important, helping to limit accessibility of a lost phone. Through use of MDM tools password controls can be enforced, locking the phone so the sensitive data is no longer accessible, as well as the ability to fully or selectively wipe the device. With many MDM solutions you are also able to collect telecom usage, as well as locate the device via GPS.
Depending on the solution chosen you may have the option to protect sensitive information on BYOD devices through encrypting corporate data in a secure container. Enterprise apps and mail servers must share corporate information only in the secure container, this means that email, contact and calendar information cannot be mined by third-party apps and also that the user cannot forward emails using a private email account, you can also go further by disallowing copy and paste and screenshots of the data being taken in the containerised section, this data will also be encrypted separate to the users data.
By using a containerised option within your MDM for BYOD (and optionally corporate owned) this will lessen the need to control or block applications or cloud services; this is the ideal with BYOD as you effectively have a business side of the device and a personal which do not interact. Business data is protected and personal data is not touched.
The importance of visibility
Implementing an MDM solution provides businesses with tools to create policies for both corporate owned equipment and BYO, but it also gives you visibility of all mobile devices which is vital in maintaining your security. Inactive devices could be a concern regarding data loss and data leak and attention should be paid to devices that disappear from your active list and actions taken to bring them back into the fold or ensure the data they may contain is protected.
Similarly, if an employee moves elsewhere in the business or leaves the business altogether it is important to ensure sensitive data doesn't go with them. MDM will allow administrators to selectively wipe all data on a device (corporate owned) or just the containerised corporate data leaving the user's personal data untouched (BYOD).
If BYOD is managed properly through using the right MDM solutions it can be very helpful for businesses, allowing greater flexibility to users and saving on hardware costs. BYOD may only be a small number of devices within a business (users with secondary devices, short-term contract workers) but ensuring you have a secure method of deployment and controls means the security of your corporate data remains the highest priority.
However, if not managed properly the risks surrounding BYOD, such as loss and data breach, could bring disaster, embarrassment and financial implications via lost business and possible fines.
In conclusion, a decision must be taken by the business around whether BYOD can be implemented safely and securely.
Contributed by David Brady, senior technical consultant at Intercity Telecom.