Personal mobile device use in the business setting is no longer just a trend. The line between consumers and employees continues to blur, making protecting corporate data stored on personal devices a major strategy concern for many businesses.
User behavior -- losing devices, using malicious apps, putting company information in peril -- is going to be one of your major, ongoing sources of problems.
John Girard, VP and Analyst, Gartner Inc.
Constant preaching about how company data is particularly vulnerable on personal mobile devices will only get you so far, however. That's why it is vital to have a rock solid, transparent mobile device management policy that clearly outlines the company's approach to protecting corporate data on employee devices -- and the consequences of not doing so.
"You can run awareness programs continuously -- you are still going to miss people that one way or another are not going to get the message," said Gartner Inc. vice president and analyst John Girard at the Gartner Security and Risk Management Summit 2014 in National Harbor, MD, earlier this month.
"User behavior -- losing devices, using malicious apps, putting company information in peril -- is going to be one of your major, ongoing sources of problems."
Girard was joined Gartner principal research analyst Dionisio Zumerle for two sessions on mobile device management strategy and security at the Gartner Summit. As mobilization in the workplace gains popularity, putting restrictions on what data is used and stored on mobile devices is a fool's errand, Zumerle said.
Instead, companies have to adapt their mobile device management strategy.
"Mobile devices right now are a substitute to personal computers -- and probably will be much more so in the future," Dionisio said. "They will have sensitive data on them. They will have to have email on them. Try to protect the data, try to protect the devices, instead of trying to minimize the data."
In regards to mobility and bring your own device (BYOD) programs, a major first step is to establish the risk framework unique your company. What is the specific data that is vital for your organization? Who has access to that data? And which processes make that data particularly vulnerable from a mobile standpoint? This unique "security baseline" is the heart of any mobile device security strategy, Zumerle said.
"I think the trick here is to be firm, but be reasonable -- if you are not reasonable, security controls tend to be circumvented by users," Zumerle said. "You need to consider the user experience."
Identifying these risks can be difficult, however, especially with the number of platforms, devices and operating systems available for consumers to bring to the workplace. All have unique designs and vulnerabilities to take into consideration when developing a mobile device management or BYOD policy.
IT agencies and associations are starting to notice the importance of -- and obstacles to -- mobile device management strategy, however. Girard called it "a very encouraging sign" that ISACA has begun publishing reference materials outlining where audit standards apply for mobile security and mobile device management.
"You have to really make sure that you create a policy that can be used in all contexts, and that are relevant to your business," Girard said. "The enemy is us if we can't get people to cooperate."
Company data "containment"
When it comes to mobile device management, separating the business from personal data has been the ideal for many organizations. This has led to the development of a mobile data "container" market that provides new ways to isolate information.
These "containers" are designed to route sensitive company data into what is basically a secure bubble on mobile devices. The containers create their own problems however: Companies will still have to develop detailed policy on how and when to use them.
Like much else in the mobility world, the containers also have to be easy to use or people won't use them while personal and business data continues to mingle, Girard said.
"It is always the case that people think they have better apps and better hardware than their companies -- and in many cases it's absolutely true," Girard said. "But doing work outside of the main workflow is going to cause trouble, so the policy has to reflect what's good for the organization and also what works for the organization."
Another mobile device management strategy option is developing a company enterprise app store that lists applications the company has reviewed, deemed safe and appropriate for work.
More on mobile device management
Survey: BYOD, mobile security a top concern for IT department
The mobile influence on information governance processes
"If you have containers in these devices that only speak with that app store, then you have a secure environment where you can download your work applications," Zumerle said. "It is protected so that you are ensured that your data cannot be extracted and sent to the other part of the device."
One important factor to remember when developing mobile device policy is that it's impossible to treat all devices and all users in the same way. Different roles require different devices, different access to data, and different support for those devices.
Tablets throw another kink into mobile device management strategy. As new models are released with more options, an increasing number of business applications are showing up on them.
As a result, tablets will no longer be just a consumer device, and people will try to do their everyday work on them, Zumerle said.
"Tablets will be additive to your burden to the workstation side of your operations going forward," Zumerle said. "You have to be ready with policies on how these devices will contain business information, how business applications will be delivered, and consequences if things don't fall right."
To help, the device management market is quickly evolving to adapt to the mobility trend. High demand for mobile management tools is leading to new developments, and Zumerle predicted vendor offerings will continue to grow more capable and mature by 2014.
While platform providers currently provide basic capability, organizations are typically opting for third party products that provide better security coverage across platforms and improved functionality, he added.
"Mobile security is very volatile, it's emerging as an area," Zumerle said. "It's really important to be tactical about the solutions, to be able to switch from one solution to another."
If implemented correctly and with these considerations, a mobile device management policy not only protects sensitive data, but can boost the bottom line as well. By providing solid proof through policies that the company understands how to protect its sensitive data, it can boost company stock, attract private investors and increase customer confidence, Girard said.
For this policy to be effective, companies have to do their homework on what strategy is best for them, and willing to adapt as technology improves. If not, company data will continue to be vulnerable to mobility.
"Policies will be a living document," Girard said. "Whatever you do, come up with a consistent policy and a reason for it. That's the bottom line."
This was first published in June 2013