With mobility on the rise, the bring-your-own-device (BYOD) movement in the enterprise has become a force with which CSOs and CISOs around the globe must reckon.
The original notion that a more mobile workforce is a more flexible and productive workforce seems very quaint today as the threat landscape is growing.
While companies are reaping the benefits of a more engaged nomadic workforce, they are also suffering from data leakage and theft. In a Ponemon Institute survey sponsored by Websense, 51 percent of organizations experienced information loss resulting from employee use of insecure mobile devices (including laptops, smartphones and tablets).
To avoid data loss and security breaches, organizations need to create a mobile strategy that addresses three key factors: policy and communication, data ownership, and reimbursement.
It is important to define policies for devices that are permitted to connect to corporate assets. This includes the security requirements that protect corporate data and personal information. Clearly defining policies allows organizations to embrace personal mobile devices in a safe and secure manner.
For example, you may want to allow only certain “trusted” mobile devices to access corporate information. You should also establish minimum-security requirements. This may include: a required passcode on devices accessing the network; policies around what data you allow to move to, be viewed on, or reside on the device; and rules against allowing jailbroken devices.
Once these guidelines are established, you'll need to clearly communicate them with your employees and define a clear action plan for what to do if a device is lost or stolen. Once the plan is in place, schedule a meeting with your key stakeholders to discuss company policies as they relate to BYOD and compliance requirements.
For example, you should meet with a representative from every business unit, which could include customer service, finance, human resources, IT and retail operations departments. Once your key personnel are informed, formalize a written communication to all employees with network access that explains your new mobile policies and security concerns. And, make sure this is updated and annually signed by employees.
Businesses have learned to deal with the complexities of safeguarding data on PCs within the corporate network. However, in today's enterprise, tablets and smartphones can double as a mobile office with access to confidential documents, customer information and credit card numbers.
With data now traversing outside the network on smartphones and tablets, several issues are front and center, including data ownership and security.
With the sophistication of personal devices, employees no longer want to use corporate issued phones. This takes away the clear line between device and data ownership. Employees want to connect to the network and conduct business outside the office, which takes the control away from corporate IT.
On top of this, there is still a legal “gray area” about what companies can control on employee-owned mobile devices. Inside the corporate walls, this is simple, as an organization owns corporate email and data. Handheld devices, however, are more prone to being lost or stolen and often rely on insecure Wi-Fi networks. This increases the risk of compromised, intercepted, and ultimately, lost corporate data.
In highly regulated industries like healthcare and financial services, organizations can incur large cost and legal consequences for misuse of private data on mobile devices. Therefore, highly regulated organizations often restrict mobile devices from connecting to the corporate network, but that is not always feasible in today's mobile workforce.
Regardless of who owns it, data is the lifeline of any company. Employees should carefully consider the security of their mobile devices and take appropriate protective measures. For example, workers should minimize the storage of company data. This includes email and attachments.
If a mobile device with company data is lost or stolen, employees should report the incident within 24 hours. All data stored on the device should be securely disposed of in accordance with a company's records retention policy.