Managing BYOD - technology isn't the only answer
One of the key trends across IT in the last 12 – 18 months has been the rise of Bring-Your-Own-Device (BYOD) as employees, who initially bought smartphones and tablets for personal use, have quickly recognised their potential in the workplace.
This trend has led to a rapid increase in the number employees asking their firms to support personal mobile devices such as the Apple iPad, including allowing them to connect to the enterprise network. In an effort to address the security risks associated with these devices (for example, data breaches caused by device thefts) many organisations have deployed (or are considering deploying) a Mobile Device Management (MDM) tool.
MDM tools work by enrolling mobile devices with a management console that allows IT administrators to enforce security controls such as remote lock or remote wipe on either a ‘per device’ or ‘per app’ basis. The latter tend to be preferred by institutions that have stronger security requirements for data stored on mobile devices, but applying security controls at the application level can significantly impact the end user experience. As a consequence, more and more organisations are now considering MDM solutions that allow employees to make use of native device capabilities such as built-in email and calendar apps.
It is tempting to believe that MDM tools are a quick and easy solution to BYOD challenges, particularly as the leading products continue to evolve rapidly in order to reflect enterprise requirements. However, many businesses that have deployed MDM tools have discovered that not all BYOD risks can be addressed through technology alone, and that deploying MDM capabilities can raise new challenges.
Organisations looking to implement a MDM tool should be aware of the current (and likely future) technical limitations of the tools. MDM vendors will often promote a broad range of solution capabilities, but it is important to recognise that, due to the technical constraints of different mobile operating systems, not all of these capabilities will be available for every platform (for example, Apple iOS does not permit location tracking of lost/stolen devices via a MDM tool). If a popular mobile device or operating system is not supported then this can represent a significant gap in an organisation’s BYOD risk management strategy.
When addressing BYOD challenges it is also important that businesses pay close attention to non-technical factors, such as the development of policies that will be enforced by MDM tools. It is easy to get carried away with the potential capabilities of MDM to quickly address BYOD risks, but our experience is that each policy decision or control needs careful impact assessment before being implemented. For example, a requirement from an information security function for mandatory device level encryption will greatly restrict which devices can/can’t be enrolled with the MDM tool, potentially excluding a significant number of BYOD users. Remote wipe, ‘find my device’ and application blacklisting services can also have privacy and legal implications requiring significant focus.
Furthermore, if non-technology factors such as user awareness of BYOD risks are not addressed as part of a MDM implementation then it’s unlikely that technology alone will adequately mitigate data security risks. In our experience, if MDM is deployed without sufficient user engagement then employees may object to their personal devices being enrolled with a ‘corporate’ security solution, or else work around MDM controls by using mobile web browsers to access unapproved webmail and cloud storage services.
The key to managing BYOD risks therefore lies in the successful combination of technical and non-technical controls. MDM tools provide information security teams with new technical capabilities for managing risk; however, it is important that non-technical considerations are not sidelined if organisations are to succeed in embracing the BYOD trend without exposing their key data assets to new types of risk.
Matt is a Manager in Deloitte’s Enterprise Risk Services practice specialising in information protection. He has a particular interest in mobile security technologies and has significant experience of advising businesses on bring-your-own-device risks.
Twitter | Linkedin