Using employee-owned devices, or a “Bring Your Own Device” concept has come into being and is developing too in organizations. In a BYOD scenario, employees work on their own mobile device. It is much easier for individual consumers to keep up with the upcoming change and technology. Very often, employee devices are more advanced than the device an enterprise might be issued; it also increases the mobility of individual employees in an increasingly mobile world.
However, the nature of doing business with mobile and employee-owned devices can potentially make the enterprises that do so particularly vulnerable to security breaches. Without an understanding of the nature of problems and their solutions, going with mobile can involve making compromises in terms of security. However, wireless technology does not need to be any less secure than other ways of dealing with data, but certain steps must be taken, in order to maintain security when doing business via mobile devices.
In this article, a set of recommendations about how to prevent these security issues in mobile business.These policies can result in cost savings, increased employee satisfaction, and productivity gains.
Risks caused by the end user
The end user error is responsible for a considerable amount of mobile business vulnerability. It is believed that most breaches happen due to user error. Many smartphone users do not use any kind of password protection. Mobile devices are fifteen times more likely than laptops to be lost or stolen. Extra protections are necessary, but basic steps can go a long way. Training and frequent updates are central to preventing such a high rate of user error.
- Engage users in protecting their own devices:
Mobile device users should take a series of steps on their own to secure corporate as well as personal data. Many third party apps can inject malware or virus once a user downloads it. So it is necessary to regulate other apps on the network – even those not used to store sensitive data. A vulnerable app can lead to a vulnerable device or even network. Symantec also advises users to update very frequently and to be more selective about allowing permissions to apps on the device.
- Create a database of employees and contractors:
Maintain the database of employees and contractors rigorously in order to reduce security risks related to end users. It should be kept fully up to date. Active Directory is a popular tool for this – however, to be properly effective, Active Directory must be attended with frequent updates. Active Directory is a service developed by Microsoft for Windows domain networks to authenticate and automatically authorize the correct security privileges to a user. Furthermore, communication between IT and HR, including real-time communication, is necessary to maintain a proper database for security privileges. Real-time communication allows instant updates in the event of a change in employee or contractor status. Frequent attention and updates are key to maintain security strategies.
- Beware of consumer-grade tools.
Another user-related risk involves corporate users using consumer-grade file-sharing tools such as DropBox. These tools are often ill-equipped to protect sensitive corporate data. Applying corporate-grade tools with IT management, visibility throughout the enterprise, will give users the choice to use more secure tools, and in turn will reduce security risks. Having data stored in a cloud and then accessed is much safer than actual file sharing. If an enterprise fails to supply the right tools for sharing data, users will choose the own, less secure, consumer grade tools.
- Train and train, but don’t stop there.
Giving training to users about device safety and enforcing the above practices are still not enough. End users must be reminded that their own personal information is protected by the same security policies. The interests of protecting corporate information are aligned with protecting personal information. Emphasizing this point to employees and contractors will prevent much end user security risk.
Requirements to reduce the security risks
Configurations of mobile devices will vary widely, but in order to benefit from enterprise mobility, it is reasonable to have requirements that need to be met before permitting devices to plug into the network. Encryption and stringent authentication are examples of standards that you can and should require, whether you are providing the device or permitting users to plug their own devices.
- Data encryption:
Encryption should be a requirement in any Bring-Your-Own-Device (BYOD) situation, even though most mobile users do not tend to encrypt their own mobile data. It should be an absolute enterprise requirement for doing business on personal mobile devices. Encryption of the data itself guarantees that information is protected even when moved between different devices and media. Android phones come with “Encrypt Data” option to encrypt apps while many third-party vendors offer a variety of ways to automatically encrypt data for different operating systems. IOS comes with built-in encryption.
- Stringent authentication is another must-have:
Since mobile devices are stolen or lost with relative ease, two-factor authentication should be implemented in any device used for business information. A password alone provides relatively weak protection, but two-factor identification involves fingerprint identification or a security token that can increase protection greatly. Choosing devices which can accommodate these options will boost security.
- Password management applications:
Password managers are another key to mobile security. Instead of opening up to the risks associated with writing passwords down on paper, or storing them on the device, password management software will keep track of these passwords and keep them secure. End users must also allow some IT access to personal devices when used to store enterprise data. If a device is lost or stolen, this allows IT to immediately delete any corporate data on a device.
- IT support:
For end users’ support is another essential tool. In order to manage encryption and other security implementations in applications, you will need to provide users with a quick IT support for employed devices, or they will be unable to comply with the requirements. A ratio of one full-time IT support employee for every five thousand devices employed is a good rule of thumb. The variety of devices and operating systems found in modern mobile business adds to the need for available tech support.
- Choose your devices carefully.
In some ways, the higher the variety of vendors, the more difficult it is to put effective mobile security in place. Using one vendor with a broad range of devices available can be helpful to this end. It will be easier to set standards for security if you have an enforced list of acceptable devices.
Protecting systems and data
Some corporate data is simply too sensitive or high-risk to be stored on personal mobile devices securely. An enterprise with data cloud or cloud virtualization can solve this problem.
- Maintain information on your user pool and adjust permissions quickly and reactively.
The database of employees and contractors is your primary task and to accomplish this information access and preservation is necessary. A degree of maintenance and sophistication can be achieved by database integration with specific permissions that will enhance security. Updating access regularly according to changed employee status can be helpful, as it can improve the sophistication of your access policies. For instance, you can improve security significantly by increasing selectivity based on factors such as the job title.
- Use Mobile Device Management (MDM) software.
In response to these new challenges of mobile data management, many vendors have made Mobile Device Management software available. This allows IT to make sure the device is authenticated and has not been compromised, which increases protection immensely. MDM is quickly becoming standard for enterprises for storing data on employee-owned devices. Mobile Device Management attempts to secure different data while incurring the little cost as possible. This software can protect all devices operating on a given network, with the ability to send updates, record activity, remotely lock or wipe a device, and many more. Popular choices for mobile device management include Microsoft’s Exchange ActiveSync, Blackberry Enterprise Server for RIM devices.
- Backup as rigorously as you would back up your desktop devices and network drives.
Lastly, backup and restore processes are vital to mobile security. The program you choose should be easy and efficient to use and manage. There are many backup programs available that can regularly take backup of your mobile that prevents your data from being lost in case of any unwanted disaster.
In some ways, combining mobile with a business, does open the gate of vulnerabilities. Without proper steps, and a general unawareness to such vulnerabilities will end up business in an unsecured environment. The enterprise mobility can manage security risks and achieve secured environment through training and the implementation of appropriate policies, applications and technologies.