This basic security technology now extends to software that offers remote wipe and other data security features for a range of devices and business systems, such as Microsoft-hosted Exchange email, SharePoint Online and Office 365. But what if the lost phone is a personal device, such as an iPhone or Android, that’s been used for business communications?
If your organization is using a bring-your-own-device (BYOD) mobile approach, a BYOD security policy is essential. At the most basic level, this policy specifies what information your organization plans to secure and how to manage access.
A BYOD security policy also builds on your larger information governance strategy and infrastructure. To avoid data loss in a BYOD environment, it’s best to build on a strong system for data backup and disaster recovery, and extend that system to mobile devices. First, you’d need to make sure that you’re able to back up any company data that’s stored locally on a user’s device.
Depending on your backup system, a better strategy might be to store corporate data in the cloud or another central location, instead of on specific devices and computers. This way, your digital workplace allows everyone in your organization to use mobile devices to access and interact with content that’s stored (and backed up) elsewhere.
Similarly, if you want to restrict BYOD access based on the user’s role in the organization, with different levels of security for sales reps and executives as an example, it helps to have a perimeter strategy as part of your governance.
The strategy of assigning different security levels based on a person’s role in the organization (a pyramidal security strategy) has been around for a while. For example, the leadership team might have access to more documents than the sales department.
This pyramidal strategy is especially important in the context of BYOD, because the risk of data loss increases when employees bring their own devices into the enterprise. Even if you already have these security measures in place, it’s a good idea to rethink your strategy when introducing BYOD to ensure that content doesn’t fall into the wrong hands.
With a pyramidal strategy, you’re able to characterize the risk of data leakage by different types of users. When a mobile device goes missing, it should be easier to manage the risk if the device belongs to a salesperson rather than an executive, because there’s likely less sensitive material to wipe.
Your policy should also specify which devices you’re going to support. On one hand, an organization can’t support an infinite number of devices of all types. On the other hand, trying to standardize employee-owned devices goes against the philosophy of BYOD. The goal is to strike an effective balance.
Determining the number of devices to allow in your digital workplace probably isn’t as critical as deciding what you’ll do with them. Perhaps you’ve determined that the most important factor is to limit support to the five most popular mobile devices, and then require that they be enrolled in a corporate system to ensure ongoing management and support.
At the same time, the differences between devices are becoming less important, as web-based and cloud applications become more mainstream. If your organization connects to a cloud-based CRM system like Salesforce via a web browser, it doesn’t matter much if a user accesses it from a home or business computer. The same is true with the cloud-based Office 365 platform: You’ll get essentially the same experience in the office or at home.
Many common tools and line-of-business applications are also now available through application visualization or virtual desktop technology. If this technology is part of your business information management strategy, it reduces the complexity of delivering an application to a device. Instead of the device itself providing users with access to the applications and data, it connects to the virtual desktop on the corporate network, which may be a more secure means of access.
In the near future, BYOD organizations are likely to support larger numbers of devices — 10 or 20, for example, instead of just two or three. But it’s still important to develop a security policy that defines what access to allow and how to manage these personal devices in your digital workplace.
To learn how to secure your business data on mobile devices, download our free e-book, “Ensuring Document Security In A BYOD Workplace.”
Contributor: Daniel Cohen-Dumani, Founder and CEO at Portal Solutions
