The following article was written by Seth Arbital, Chief Information Security Officer of Align.
Photo Credit: © panandrii - stock.adobe.com
Bloomberg recently reported on the White House’s consideration to place a ban on its employees’ personal mobile phone usage, while at the White House. This proposed ban stems from cybersecurity concerns. This past October, there were reported suspicions that Chief of Staff, John Kelly, had his personal mobile phone compromised for months. The White House already imposes strong restrictions on the use of personal mobile devices, including banning them from meeting rooms where confidential information is discussed. The current consideration is a complete ban.
While most of corporate America does not have the same level of cybersecurity concerns as the White House, companies have been struggling for years with how to manage the use of employees’ personal devices. Employees at all levels, from the CEO downwards, have been forcing the hand of corporate IT and corporate security teams to find a way to allow the use of personal mobile devices. Users do not want restrictions on how they use their own devices, yet organizations must protect their network resources and data. As mobile device use increases, so does the variety of threats posed to such devices. The Nokia Threat Intelligence Report – 2H 2016 states that, “smart phones were targeted most often in July through December, accounting for 85 percent of all mobile device infections and smart phone infections increased 83 percent during this period, compared to the first half of the year.”
This struggle has forced companies to develop Bring Your Own Device (BYOD) policies and to deploy Mobile Device Management (MDM) controls. A BYOD policy establishes the parameters as to how employees can use their personal mobile devices (e.g. laptops, tablets, smartphones) within the workplace. MDM is a control, usually an agent, which runs on a mobile device and is centrally managed by corporate operations. MDM is a technology that allows a firm to execute on and enforce its BYOD policy. Some of the features of MDM include:
- “Restricting device access to only those corporate network resources, applications and data that are compliant with corporate policy (e.g., proper anti-virus/anti-malware, no Jailbroken or Rooted devices, ensure appropriate patch levels, etc.). Also, MDM can restrict which devices can access which data and which applications.
- Separating or “containerizing” corporate data that is obtained and/or stored on mobile devices from personal data and preventing personal applications from accessing corporate data. Containerization may also include corporate email and attachments.
- Restricting which apps can access corporate data and the unfettered distribution of those respective apps to mobile devices.
- Allowing remote wipe of corporate data stored on the mobile device, in the event of loss or theft, or employee termination.
While the White House struggles with “IF” personal mobile devices should be used, corporate America struggles with “HOW” to manage the use of personal mobile devices. The first step, as with any security initiative, is to gain executive sponsorship through a clear BYOD policy, which allows employees to be productive while appropriately protecting corporate assets. The implementation of MDM provides for the effective enforcement of BYOD policies.
Align’s Cybersecurity consultants work with our clients to develop proper Cybersecurity Policies, including BYOD. We also work with many of the MDM solutions discussed in PC Magazine’s October review of Best Mobile Device Management MDM Solutions of 2017.