Can IT be trusted with personal devices?
Mobile device management as a path to security is a fundamentally flawed strategy. You must manage the data
Most IT teams weren’t prepared for the BYOD challenge, and they’re not handling it well. This assertion is borne out by our Mobile Security Survey, which shows that security education is still underfunded and underappreciated and that there’s an ongoing mismatch between the mobile device management features IT deems to be important and what’s in end users’ best interests.
To illustrate just how pernicious the wrong BYOD policies can be, here’s a hypothetical: A worker decides to buy an ipad so that, among other things, he can record and store pictures and movies of important events. Perhaps he manages to catch his baby’s first steps or his daughter’s piano recital, or he uses the ipad to store hundreds of family vacation pictures.
Being a proactive employee, he brings the ipad into work, to use for sales presentations and such. The IT organization tells him that before he can put any company data on the device, even what’s freely available on the company website, it’ll need to install some software that will enforce passwords (No. 1 on our list of most critical MDM security functions). The app will also perform remote locking and wiping of the device, offer some malware protection, and deliver security updates (Nos. 2, 3, and 4 on the list). The software will require password changes every few months, enforce minimum standards for length and complexity, lock the device after a given time, and if too many failed password attempts occur, wipe the device (the top 5 password policies desired by IT pros).
Now, suppose one of the employee’s young children plays with the ipad, exceeds the number of failed password attempts, and the device is wiped. No baby’s first steps, no piano recital, no pictures from the family vacation.
While technology can play a part in protecting the company while letting employees use their own devices for business purposes, most IT teams are creating an insane set of rules for no apparent reason. That same employee could have e-mailed the sales presentation, which probably isn’t encrypted or password protected, to his Gmail account, uploaded some product shots to Dropbox, and used the device for work without IT’s involvement. And there’s often incentive for employees to do just that, because IT’s policies are onerous at best, and at worst downright counter to the employee’s interests. If software can’t tell the difference between company data and employee data, it has no place on a personally owned device. Further, MDM as a path to security is a fundamentally flawed strategy. You must manage the data. The data is what the company owns and values. But of course, data management involves user training and classification. For too many IT teams, it’s easier to use a blunt instrument.
There’s a bit of good news in our survey: While only 32 percent of respondents have had a security awareness program in place for two or more years, 18 percent have recently added one, and an additional 25 percent say they’ll get one in place in the next 12 months. Plenty of cloud-based backup services can add a layer of protection for both company and personal data.
No doubt users represent a security risk, but they’re also first line of defense — if you take the time to clue them in on best practices. Explain how securing corporate data can help protect them as well; if their smartphone is stolen, they may want to nuke it. But don’t put device-wipe time bombs on their systems unless you want to explain why all their personal data is gone and there’s nothing they can do to get it back.