 | MOBILE DEVICE SECURITY PART 2 | | | | | Corporate policy and support ... | Posted by Andrew Spencer on 26/01/2012 @ 09:00 |
Last time, I talked about the risks to a business of unsecured, unsupported personal mobile devices used by employees for business purposes. I also shared some statistics that show that too few companies have coherent and comprehensive policies for mobile device security...
 what's the policy and support for your company's personal mobile devices?
Furthermore, few companies have full support for devices except where they supply them. However, the individual's own device is increasingly being used instead of a corporately supplied one. The pressure is intensifying from employees to be able to use their own device, whether it is a smartphone, iPad or other tablet, because they have preferences about how they work and interact with the devices and they really don't want to carry two or more. Between 21% and 28% of companies have no policy and/or no support! Only 11% of European companies have full support of mobile devices - however owned - and therefore full control over security.
So how do you create policy for mobile device security? What do you need to consider? The first and most difficult decision to make is whether to allow employees to use their own devices. The temptation is there because it obviates the need to supply the device at the company's expense. However, it complicates the support position for obvious reasons - multiple operating systems such as IOS, Android, Blackberry OS, Mobile Windows and a myriad of manufacturers all with different menu and file structures.
Allowing employees to use their own devices and then stipulating that they use a particular manufacturer is not an option! I am going to make the assumption that the company allows the individual to use their own, privately purchased, mobile device for corporate purposes such as accessing and dealing with email, files and so on. If the company supplies the device support is far easier and creating policy is very easy but the increasing trend is the other way.
A few issues to consider when trying to decide whether to operate a Bring Your Own Device (BYOD) policy:
Are your employees technically savvy enough to maintain and update their own devices according to the security structures you set, or will they need a lot of hand holding? If your company data is very sensitive (legal, financial, medical for example) just one instance of lost or stolen data could have serious consequences and this would argue for greater control, such as issuing corporate devices, suitably locked down Factors such as how many employees want BYOD figure in the equation. If only a few want it why increase the complexity of your support? Does the reduced cost of supplying devices outweigh the increased support costs (I am assuming here that support will be provided for to do otherwise risks a lot)? How focused are your staff; their own devices will have games, apps etc. on them. Do you trust your staff to concentrate?
So you have made the decision to have a BYOD policy - now you have further decisions to make. For example, what range of devices will you support? It is very difficult to restrict a BYOD policy to one device so the advice here is to implement a mobile infrastructure and platform that is flexible and supports multiple mobile operating systems, including Apple IOS and Android. You can debate whether it is worth supporting Blackberry or Windows! But you do have to decide limits whilst retaining sufficient flexibility. Also limit the permitted devices to, say, the last two versions of the operating systems allowed.
Critically you need to decide how corporate data such as email will be accessed; will you allow data to be stored on the device? A Blackberry, for example, carries a copy of a every email you have received and sent (wherever you sent it) for at least 2 weeks if you let them! That is potentially a lot of sensitive corporate data. Serious consideration should be given to making the device a viewing platform and if handling of data is required, ensuring that no copy is retained on the device.
Be pro-active in setting policy and setting up support. It is worth anticipating what your people may want because it gives you time to get robust policies in place. The launch of the iPad is a classic case in point - it was inevitable that many, many employees would want to use the iPad - how many companies were ready for this demand?
And now and again you have to say "No!" I have already mentioned really sensitive data above, however you may well say no to online transactions on the devices, trading etc.
Above all there are two things that should be part of your personal mobile device policy and support processes and part of the education processes for employees in the use of the devices; education in security is essential.
The two things that for me are really crucial are:
The devices must be protected by a password and it must be a
password of robust strength. 12 to 14 digits, mix of upper and lower case, numbers, symbols and with a reasonable kick in time of after, say, 30 minutes idle time Corporate data should not be held on the device. No email, no
files, attachments etc. The user should access the corporate network in a virtualized environment.
As you can see, there's lots to consider in formulating policy and support for your company's personal mobile devices. Getting it right from the start is absolutely crucial; if you'd like more information please then call me on +44 (0) 1908 565460.
Until next time ... 
ANDREW SPENCER
|
 | During Andrews extensive business career he has worked in a wide cross section of companies, specialising in the creation of contact centres and business systems, software development, telecommunications and project management. Andrews key skills are:
Business planning and strategy
Matching technology to business needs
Project management
Software development and implementation
Designing and implementing business systems
His work has included sourcing and implementing a new integrated telecoms system for National Energy Services, designing and project managing a new IT and telephony structure for the Greyhound Racing Association, and directing technology development for Wembley plc.
|
|
|
