Employee-owned smartphone use for work purposes continues to expand, and the governance, risk and compliance implications of the trend are beginning to take hold. According to a recent survey by SearchCompliance, "security" was cited by 96% of respondents as being among their top concerns regarding bring your own device (BYOD)/consumerization of IT.
"Compliance" was the second-ranked top BYOD/consumerization concern in the survey, taken by 773 IT professionals during SearchCompliance's April 24 virtual conference, The State of Cyber Security 2013.
New mobile technology and new user models requires a new breed of management -- that's what you should be thinking about as you move forward.
Jack E. Gold,
founder and principal analyst, J.Gold Associates
"It's another moving part that we need to keep track of," said Theresa M. Grafenstine, inspector general for the U.S. House of Representatives. With mobile devices being used to share as much information as possible, Grafenstine cited the difficulty of maintaining data security. "As security professionals, we want to be as tightly controlled with our information as possible; it just adds another layer of complexity."
New technology is changing the way we do business -- often in positive ways, noted Grafenstine and other virtual conference presenters. "To make workers more productive" was cited by 41% of survey respondents as the primary driver of IT consumerization at their organization.
It's important, however, to remember these small mobile devices have vast capabilities. Businesses are forced to re-engineer business processes and implement security tools to offset mobile device security risks.
"Our job as security professionals is not to say 'no,' -- our job is to tell our senior leaders or our CEOs what are the risks and the rewards of bringing this technology into the organization," said conference presenter Ron Ross, Ph.D., senior computer scientist and information security researcher at the National Institute of Standards and Technology.
There are compelling arguments for mobile technology use in the workplace, Ross said, but IT security leaders need to have discussions with the C-suite about what mobile device security controls are in place. For example, "network security" was cited by 28% of respondents as the area of IT spending most likely to increase because of a BYOD project.
"We have to have our eyes wide open and say, 'Look, if we are using [these] new [mobile device] technologies, what kinds of controls should we expect on those devices that we normally deploy on our laptops or our workstations?'," Ross said.
Complexity complicates mobile security
Mobile device security is made much more complex simply because of the number of devices available to the consumer. The myriad types and brands used by employees in the work setting each have different types of potential security vulnerabilities, said presenter Jack E. Gold, founder and principal analyst at J.Gold Associates.
Employees don't necessarily want to put corporate data at risk when using their personal devices in the workplace; they just don't know how not to, Gold added.
"Consumers generally focus on convenience," Gold said. "They generally focus on getting what they want, when they want it, and generally have a lack of knowledge of risks and of bad behaviors."
As a result, a BYOD policy and strategy should be developed and clearly communicated to all employees, according to Gold. Survey respondents seem to be paying attention to his advice: 68% said they currently have a policy in place for the use of personal devices at work, and 19% are developing one.
More on mobile
Prepare your mobile strategy for the connectivity wave
How mobility is influencing data management strategy
A lack of BYOD strategy and accompanying policy can dramatically increase the likelihood of data breaches, Gold said.
"The lack of a strategy is one of the single biggest risk factors when losing control of mobility and mobile infrastructure," Gold said.
Gold suggested organizations concentrate on securing applications, rather than the device itself.
"Increasingly, companies are allowing users to download apps from an app store in the business setting -- there should be a lot of restrictions around that," Gold said. "It's not so much what app I have running on what device, as [it is] what is the capability of the app and how will it affect my use and my security environment?"
Despite the increased move to mobilization in the workplace, survey respondents were all over the map when asked about their organization's position on smartphone use: 31% of respondents said their organization allows employee-owned smartphones in the enterprise, but that use isn't supported by IT. Only 17% of respondents said their organization allows all employees to use smartphones for work purposes, with this activity supported by IT.
Twenty six percent of respondents said personal smartphone use was "strictly forbidden" for work purposes -- most likely because of the security concerns. If done smartly, however, increasingly complex mobile environments can be brought under control while satisfying end-user demands, Gold said.
"New mobile technology and new user models requires a new breed of management -- that's what you should be thinking about as you move forward," Gold said.