BYOD and Enterprise Apps: Balancing Security and Employee Privacy

The COVID-19 pandemic has required businesses all over the world to equip millions of employees to work from home, and, as a result, the “bring your own device” (BYOD) model of IT has never been more prevalent.

If employees are going to use enterprise mobile apps on their own phones, enterprise IT needs to ensure these apps are secure. After all, cyber-criminals are well aware that valuable data is often stored unencrypted on smartphones. That data needs to be protected.

At the same time, IT needs to protect data without compromising employee privacy. The challenge is that many enterprise mobility management platforms are fairly intrusive. Certainly, organizations need a mobile data protection solution to prevent valuable assets, sensitive information, and intellectual property from falling into the wrong hands.

Considering potentially catastrophic reputation damage and the legal consequences that can arise from just a single breach, a complete mobile data protection solution isn’t just optional  — it’s mandatory.

On the surface, this problem may seem like an enforcement issue, causing IT to believe that they should implement new BYOD program policies that clamp down even harder on “rule-breakers” and invest more money in monitoring tools and network security staff. However, a deeper look reveals that the real issue isn’t about enforcement after all, it’s about mobile user privacy.

Employees’ fears are not unwarranted. Many BYOD program policies grant enterprises an unprecedented degree of access and monitoring rights. To achieve maximum protection, some enterprises require employees who use their personal devices for work to deploy enterprise mobility management (EMM) and Mobile Application Management (MAM) tools, which gives their employer access to all their private, personal data on the device and could, in some cases, enable enterprise IT to remotely wipe the phone.

While some CISOs and other security professionals may view this trade-off between a user’s expectation of privacy and an enterprise’s need for security as a “necessary evil” – and there can be some truth in this – the reality is that mobile users aren’t accepting the deal.

Indeed, many users may resent what they consider unreasonable BYOD program policies, which they feel violates their privacy. They also don’t trust IT departments to leave their private data untouched, let alone remotely manage or “wipe” their devices. This mistrust isn’t limited to IT departments either – it weakens the fabric of the critical employer-employee bond.

Beyond preserving the trust of their employees, employers must also contend with data privacy regulations such as the European Union's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). These regulations make organizations responsible for the privacy of employee data that they hold or manage, and if employers are managing their employees’ personal smartphones, that data arguably falls under these regulatory schemas, potentially creating legal headaches.

Balancing User Privacy with Enterprise Security

In the current economic environment, it’s unlikely that many enterprises that haven’t already supplied their employees with company smartphones are going to do so now. This creates a seemingly intractable dilemma for IT that pits employee privacy against enterprise security.

To untie this Gordian knot, enterprise IT should change its focus. Instead of trying to secure employees’ devices, IT should concentrate on securing the enterprise apps employees will use. Specifically, they need to encrypt and protect all data, and provide authentication and VPN capabilities directly inside their mobile apps to secure the connection to back-end servers and control the apps without a device management console.

All data that apps store locally on the device must be encrypted. Without encryption, malware can easily access and steal this information. Likewise, if a physical device itself is stolen, unencrypted data is trivial for cyber-criminals to obtain.

It’s also important to use the right form of encryption. Older encryption standards are now known to have critical flaws or have been cracked by researchers. To ensure encryption is sufficiently strong, developers must use AES-256 encryption or higher — the standard required by the U.S. government — to protect all data elements in the app, including strings, preferences and resources.

When it comes to authentication, organizations need to deliver easy and familiar workflows inside mobile apps, but they are not typically built to authenticate to the same corporate environments used by desktops or by the same methods used by other apps.

On top of that, fragmented sign-on experiences require employees to pass several, often different and unfamiliar, steps to authenticate and use mobile apps. This degrades the usability and usefulness of that app as well as it unnecessarily complicates the mobile app infrastructure. Ideally, enterprise apps will provide single sign-on (SSO) capabilities to improve the end-user experience.

Enterprise IT also needs to implement the ability to control the app and its data, with the ability to revoke access and delete information associated with it, if necessary.

These security functions can be implemented manually or through the incorporation of software development kits (SDKs), so long as the enterprise has access to the source code. In many cases, that’s not possible, and manual development of security features is expensive and time-consuming. In these situations, no-code platforms that fuse new functionality directly to the binary can provide a quick means to secure enterprise apps for employees on a BYOD model.

BYOD doesn’t have to mean sacrificing either security or employee privacy. If IT focuses on ensuring security for enterprise apps, employees can safely work with corporate and personal data on the same device, boosting productivity and performance.

What’s Hot on Infosecurity Magazine?