By Allie Philpin
Every day, more and more employees are using their own mobile devices, including their own applications, as part of their carrying out their role in business. But according to Jack Gold, principal analyst at J. Gold Associates, this trend that is growing at a significant rate highlights security issues that many businesses are even recognising.
With the acronym, BYOD, being used liberally, businesses concentrate on issues related to mobile security in this context. However, Gold believes that organisations should be focusing more on BYOA, alternatively known as Bring Your Own App! Users want convenience; to find it they search for and use unauthorised apps – and there are plenty available – but can they be trusted? But this is in direct contrast to IT professionals whose focus is on security and corporate policies.
Gold says there should be three elements in place in order to get ‘true’ mobile security – security policies developed around the organisation’s requirements; user acceptance of corporate security policies, and ultimately the security measure itself. One or more elements missing will spell failure. A balance needs to be achieved between users’ demand for using their own devices and applications, and minimising the risks. Any trend towards IT professionals gaining more control will lead to additional security measures; yet, too much control by users wanting to use their own mobile devices and applications will lead to reduced security – this is known as the ‘security gap’ and many companies haven’t even heard of it, let alone being able to manage and understand the gap!
The biggest hurdle in achieving true mobile security is user acceptance of corporate security policies; the second is getting IT professionals to understand user’s requirements of mobile devices and applications to deliver convenience and the tools they need to their jobs effectively. If IT departments make the security rules too stringent, users will do all they need to do to make their jobs easier and thereby increase the security risks. Most users who use their own mobile devices at work recognise that there needs to be some level of security, but often they don’t understand the potential risks involved; but it’s a double-edged sword in that most IT professionals don’t understand what the employee needs are.
Gold believes there are 7 crucial steps to achieving successful mobile security:
1. Be Proactive – there’s no point ‘shutting the door after the horse has bolted!” Assess the security risks and develop a strategy that will prevent a security attack before it happens.
2. Understand what users need to do with their mobile devices; and remember, not every employee has the same needs!
3. Understand the devices that are being used and, again, not every device has the same requirements – not every anti-malware and anti-virus software solution works the same way on every device or PC.
4. Ensure that any MDM (mobile device management) strategy includes not just the devices being used, but also the applications and data that are being stored, accessed and used on the mobile device. Losing the device is one thing, it can be replaced; losing corporate data is another matter entirely.
5. Manage not only the mobile security policies and strategies, but remember to stay flexible. Devices change, updates are added, new devices are added and old ones are removed – it’s a constant process and it is essential that any corporate policy is kept up-to-date.
6. Assess and understand the total cost of ownership (TCO), as well as the return on investment (ROI), that comes with mobile devices and security.
7. Support any mobile security strategy… properly! All the above is one thing, but if it’s not well-supported, it’s not going to be anywhere near as effective!
Utilising employees own mobile devices can be, and is, a benefit to many companies that don’t have the necessary resources to ensure that all employees have corporate mobile devices. This is all very well, but without the right steps being taken to ensure the right levels of security are provided to the right people, and users of BYOD’s and BYOA’s are not educated in the potential risks involved and buy-in to corporate mobile security policies and strategies, there is a very good chance your efforts will be wasted.