Like many information security professionals, Candice Alexander was first forced to deal with an employee-owned device when her boss brought in an Apple iPad and requested that it be connected to the network.
Alexander's first reaction? "You've got to be kidding me," she says. Yet, the IT security manager, and later chief information security officer (CISO), for the N.H.-based healthcare firm Long Term Care Partners, quickly realized that the company would have to find a way to deal with such requests. "We are at a point in the business world where information has to be at our fingertips, and as information technology people, we have to be able to support that."
While many IT security managers would connect first and ask questions later, Alexander—now an information security and policy consultant -- spearheaded a strategy to secure data on bring your own devices (BYODs). It's a step that many organizations initially skip in their mobile device policy initiatives, which causes later complications.
BYOD is often viewed as a technology problem. Only 10% of CISOs considered an enterprise strategy for BYOD as the most important capability to secure mobile devices, according to the 2013 IBM Chief Information Security Officer Assessment.
"It's funny when [I'm] asked about where to start, because users are already doing this," says John Whaley, founder and chief technology officer of Moka5, a maker of mobile endpoint management software. "Companies need to acknowledge that it's happening, and not bury their heads in the sand."
For IT security leaders, the two critical steps in securing devices employees bring into the enterprise are to create an overall strategy and use it to guide the creation of a policy for BYOD workers. But fewer than 40% of companies have crafted an incident-response policy for personally owned devices, and only 29% have created an overall enterprise strategy to deal with the security issues employee-owned devices create, according to the IBM study.
Rather than develop a specific BYOD policy, companies should create broad policies that work across all endpoint devices, says Vijay Dheap, a global product manager for mobile security at IBM Security Solutions.
"They should remove the overhead of having to devise yet a new strategy or yet a new portfolio of policies for a specific set of devices, because the behavior over all the endpoint devices is changing," he says.
Build business relations to create the right policy
Creating a mobile device policy requires that companies bring together a variety of departments to account for the entire business's needs. Information technology leaders should not be the only contributors to the discussion, says Theodora Titonis, vice president of mobile at Veracode, an application-security firm. Legal and risk-management groups need to be present at the creation of any policy.
Companies should remove the overhead of having to devise a new strategy or portfolio of policies for a specific set of devices, because the behavior over all the endpoint devices is changing.
Vijay Dheap, global product manager, IBM
"We need to establish a dialogue, and be the conduit between the business folks, to come to a list of objectives for success," Titonis says.
A poorly thought-out mobile device policy can cause significant security issues: Too lenient a policy could allow a data leak, while too draconian a policy could cause problems for employees.
Just ask Peter Bauer, the CEO of email services firm Mimecast. While on vacation in South Africa in 2010, Bauer lost all the photos taken of the first half of the trip when his daughter attempted to use his phone and instead, after entering the wrong PIN five times, triggered the company's automated remote wipe policy.
"The big issue for IT is that the boundaries between personal and professional communication have all but disappeared," he says. "With BYOD, it's natural that I carry personal content around with me as well as my business tools, but that comes with its own risks.
"It's the same with the use of consumer cloud services inside the enterprise," adds Bauer. "It's a phenomenon we call ‘bring your own cloud,' and it's arguably more threatening to data security than BYOD. If IT is obliged to accommodate end-user preferences like this, there is no other option but to enforce some fairly strict security policies across the board."
Any mobile device policy should clearly spell out the company's requirements and the potential risks in using mobile devices. Nearly three-quarters of IT leaders and professionals believe that employees use of mobile devices for work puts sensitive data at risk of being compromised, according to the 2013 IT Industry Survey: BYOD published by TEKsystems, an IT personnel provider.
Device, apps or data?
A key decision in creating a mobile security strategy is for CISOs to decide where they want to focus their control efforts. Whether an organization chooses to protect the device, only allow certain apps to touch business data or just focus on the data, this decision influences the company's strategy and the resultant policy.
Focusing on the device tends to be the approach of organizations that have historically had to deal with a managed fleet of mobile devices or laptops. While smartphones and tablets have been the most obvious devices to break the perimeter and come to the attention of IT security teams, many of the issues that they highlight are not unique. Most companies have been dealing with the same issues with notebook computers and employees working on their desktops at home.
"Mobile device management has historically been the predominant way that companies could protect their data," says Horacio Zambrano, senior director of product management and strategy for Juniper Networks.
Another approach is for the company to only support devices that have the necessary set of features to allow the smartphone or tablet to be verifiably protected, says Scott Totzke, senior vice president of BlackBerry security.
"The device itself needs to have a degree of resilience to attack," he says.
Yet, increasingly, companies are focusing not on the devices, but on the apps and data -- in some cases, to the extent of treating BYOD as an exercise in data-loss prevention, says Moka5's Whaley. The chief way to protect data on a variety of devices is to use secure-containers technology.
Focusing on containerization also helps companies avoid sticky legal and policy issues about acting as Big Brother managing an employee's phone usage. In addition, separating corporate data from personal data avoids issues such as the "accidental" remote wipe of Mimecast CEO Bauer's personal device: Companies can just delete the business data without touching personal data, says Neal Foster, executive director for integrated solutions at Dell Software.
"The first time that you have to delete personal photos off a device, especially when it belongs to a high-level employee, that's when you are moving to containerization," he says.
Communicate with users
A party frequently missing from policy discussions is the employees affected. While only 14% of IT professionals dislike the level to which their company monitors their device usage, only 35% of employees say their company's policy regarding mobile devices is well communicated, according to the TEKsystems' survey.
Only 35% of employees say their company's policy regarding mobile devices is well communicated.
A common problem that users have with corporate security measures is that they interfere with using the device for work. That has been a frequent criticism of containerization technologies, says Veracode's Titonis. And security measures that are difficult to use are generally ineffective, she says.
"Employees find a way around processes that are difficult to use," she says. "Employees don't want to put a 13-digit password into a mobile device. They need to interact in a way that they are used to."
For that reason, companies should discuss possible mobile device policies and strategies with employees.
Communication is important after the business decides on a direction as well. Currently, more than two-thirds of firms do not have mandatory end-user training to inform workers of their mobile policy. To get users on board, organizations must explain the risks that mobile devices can pose to a business, says Moka5's Whaley.
Organizations should also make it clear to users that the business data on the phone belongs to the company. For that reason, a firm's legal department should be part of the policy discussion from the get-go, he says.
"You don't want to be stuck in a situation where a user is working on something and that data is subpoenas or used in an investigation, and a user refuses to hand over their personal device for discovery," Whaley says.
About the author:
Robert Lemos is an award-winning technology journalist, who has reported on computer security and cybercrime for 15 years. He currently writes for several publications focused on information security issues.
Send comments on this article to firstname.lastname@example.org.