We all know that employees’ personal devices are a core element of corporate IT today. Like it or not, the business benefits of allowing users to take their work out of the office have pushed organizations to adopt cloud and mobile.
That’s not to say that security doesn’t need to be taken into consideration – it does. It’s just that some mobile security policies and solutions are at odds with the culture of productivity, freedom, and flexibility that organizations are working to enable.
We live in an age where privacy is increasingly important and companies must strike a better balance between mobility, privacy, and security.
Security teams need to protect corporate data on mobile devices to limit data breaches and to comply with data protection regulations. To do this, the usual approach is a full belt-and-braces security audit; installing Mobile Device Management or Mobile Application Management software on personal devices. Ae this involves installing software agents on employee phones and tablets, they effectively give IT teams control over all traffic to and from the device.
At the outset, setting up and maintaining MDM/MAM is a logistical headache. IT teams have to install the software across potentially thousands of devices, and then make sure that it is regularly updated and maintained with the latest threat information. This method of roll-out involves placing an agent on every employee’s personal device and using it to force all activity through the corporate network. It allows IT to keep an eye on corporate data, but also means that users’ private banking activity, social networking and a whole host of irrelevant information is also proxied via the corporate network.
A recent experiment tested the extent to which an unscrupulous IT team member could potentially monitor and control a personal device without the owner’s knowledge. By routing traffic through the same proxies used to manage devices and conduct security audits, it’s possible to capture browsing activity and even transmit login details back to the company, in plain text.
It’s also possible to monitor outbound and inbound communications, force GPS to remain active to track location and out-of-work habits and remotely restrict device functionality. If an employee was to change jobs, a company could effect a full device wipe, meaning that all data (personal contacts, photos, videos) would be lost in the process.
Times are changing. People are increasingly concerned about the extent to which their privacy is being diluted by online activities. With data breaches in the news and regulations emerging that have been created to help give power back to the people, it’s not surprising that privacy is concern.
Indeed, a previous study found that more than half of employees choose not to participate in their company’s personal device program because of privacy fears.
IT managers are stuck between a rock and a hard place; they can either see or control too much of employees’ daily activity, or have no security controls in place. This dilemma should force us to identify real mobile security requirements.
Here’s where the majority of IT teams get it wrong: instead of tracking all activity, companies really only need to focus on protecting corporate data. Instead of controlling every aspect of a personal mobile phone, they could limit access from risky devices and destinations.
IT teams don’t need to invasively audit a device. In fact, they shouldn’t need to place a software agent on personal devices at all.
The next-generation workforce is very sensitive to issues of personal privacy and we’re already seeing a backlash against current mobile security policies. What companies need is a better way to keep data secure and allow employees to access the data they need, on their own devices.
Understandably, organizations can’t sacrifice security for mobility. That said, where it’s possible to improve both – to better protect data while enabling employee productivity and flexibility – IT leaders must make that change.