Can IT be trusted with per­sonal de­vices?

Mo­bile de­vice man­age­ment as a path to se­cu­rity is a fun­da­men­tally flawed strat­egy. You must man­age the data

InformationWeek - - Practical Analysis - Art Wittmann Art Wittmann is irec­tor of In­for­ma­tion­week An­a­lyt­ics, a port­fo­lio of de­ci­sion-sup­port tools and an­a­lyst re­ports. ou can write to him at awittmann@tech­web.com.

Most IT teams weren’t prepared for the BYOD chal­lenge, and they’re not han­dling it well. This as­ser­tion is borne out by our Mo­bile Se­cu­rity Sur­vey, which shows that se­cu­rity ed­u­ca­tion is still un­der­funded and un­der­ap­pre­ci­ated and that there’s an on­go­ing mis­match be­tween the mo­bile de­vice man­age­ment fea­tures IT deems to be im­por­tant and what’s in end users’ best in­ter­ests.

To il­lus­trate just how per­ni­cious the wrong BYOD poli­cies can be, here’s a hy­po­thet­i­cal: A worker de­cides to buy an ipad so that, among other things, he can record and store pic­tures and movies of im­por­tant events. Per­haps he man­ages to catch his baby’s first steps or his daugh­ter’s pi­ano recital, or he uses the ipad to store hun­dreds of fam­ily va­ca­tion pic­tures.

Be­ing a proac­tive em­ployee, he brings the ipad into work, to use for sales pre­sen­ta­tions and such. The IT or­ga­ni­za­tion tells him that be­fore he can put any com­pany data on the de­vice, even what’s freely avail­able on the com­pany web­site, it’ll need to in­stall some soft­ware that will en­force pass­words (No. 1 on our list of most crit­i­cal MDM se­cu­rity func­tions). The app will also per­form re­mote lock­ing and wip­ing of the de­vice, of­fer some mal­ware pro­tec­tion, and de­liver se­cu­rity up­dates (Nos. 2, 3, and 4 on the list). The soft­ware will re­quire pass­word changes ev­ery few months, en­force min­i­mum stan­dards for length and com­plex­ity, lock the de­vice af­ter a given time, and if too many failed pass­word at­tempts oc­cur, wipe the de­vice (the top 5 pass­word poli­cies de­sired by IT pros).

Now, sup­pose one of the em­ployee’s young chil­dren plays with the ipad, ex­ceeds the num­ber of failed pass­word at­tempts, and the de­vice is wiped. No baby’s first steps, no pi­ano recital, no pic­tures from the fam­ily va­ca­tion.

While tech­nol­ogy can play a part in pro­tect­ing the com­pany while let­ting em­ploy­ees use their own de­vices for busi­ness pur­poses, most IT teams are cre­at­ing an in­sane set of rules for no ap­par­ent rea­son. That same em­ployee could have e-mailed the sales pre­sen­ta­tion, which prob­a­bly isn’t en­crypted or pass­word pro­tected, to his Gmail ac­count, up­loaded some prod­uct shots to Drop­box, and used the de­vice for work without IT’s in­volve­ment. And there’s of­ten in­cen­tive for em­ploy­ees to do just that, be­cause IT’s poli­cies are oner­ous at best, and at worst down­right counter to the em­ployee’s in­ter­ests. If soft­ware can’t tell the dif­fer­ence be­tween com­pany data and em­ployee data, it has no place on a per­son­ally owned de­vice. Fur­ther, MDM as a path to se­cu­rity is a fun­da­men­tally flawed strat­egy. You must man­age the data. The data is what the com­pany owns and val­ues. But of course, data man­age­ment in­volves user train­ing and clas­si­fi­ca­tion. For too many IT teams, it’s eas­ier to use a blunt in­stru­ment.

There’s a bit of good news in our sur­vey: While only 32 per­cent of re­spon­dents have had a se­cu­rity aware­ness pro­gram in place for two or more years, 18 per­cent have re­cently added one, and an ad­di­tional 25 per­cent say they’ll get one in place in the next 12 months. Plenty of cloud-based backup ser­vices can add a layer of pro­tec­tion for both com­pany and per­sonal data.

No doubt users rep­re­sent a se­cu­rity risk, but they’re also first line of de­fense — if you take the time to clue them in on best prac­tices. Ex­plain how se­cur­ing cor­po­rate data can help pro­tect them as well; if their smart­phone is stolen, they may want to nuke it. But don’t put de­vice-wipe time bombs on their sys­tems un­less you want to ex­plain why all their per­sonal data is gone and there’s nothing they can do to get it back.

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.