Board Matters Quarterly, April 2014
Computing beyond the borders of your business
Using mobile technology for work
Having a robust mobile program that allows personal devices to be used safely for work can increase productivity and be a significant competitive advantage. Ultimately, the board needs to understand how the company is empowering its management and employees with mobile technology and how the company is maintaining control of the environment and access to confidential information.
The BYOD model
A model typically called “bring your own device” (BYOD), where employees use their personal devices for work, presents an attractive and manageable option to companies. However, BYOD significantly affects the traditional security model of protecting the perimeter of the IT organization. It also muddies the definition of that perimeter both in terms of physical location and asset ownership.
With personal devices now being used to access board materials, corporate email, calendars, and applications, many companies are struggling with how to establish procedures and support models that balance their employees’ needs with inevitable security concerns.
"Supporting the integration of a thoughtful bring your own device (BYOD) policy so that the related strategies are flexible and well planned can ensure that the company is equipped to deal with potential mobile challenges and risks".
Organizations that adopt a BYOD approach need to consider the following issues.
Securing the device. Basic security features, such as password protection, encryption and procedures to remotely wipe the device if lost, are critical. One of the greatest advantages of a mobile-enabled workforce is the ability to always be connected. Unfortunately, this benefit also expands risk. While board members, management and employees previously left their data at work, they are now traveling the world with access to corporate data anywhere, anytime. Maintaining awareness and training on appropriate data use and procedures for handling device loss should be a priority.
Mobile app concerns. Apps have accelerated the integration of mobile devices, and while they demonstrate utility, they also increase the risk of a BYOD model. Specifically, organizations need to address malicious apps and app vulnerabilities.
App vulnerabilities and weaknesses can be introduced unintentionally by developers and may inadvertently expose the data within the app, or assist attackers in compromising the device.
App risk is magnified when devices are not owned and managed by the IT department. To counter this risk, app management or compartmentalization (or walling off) of sensitive data and tasks is recommended.
Managing the mobile environment. The BYOD approach requires management effort to maintain an accurate inventory of the mobile devices and how each device is configured. Controlling the data accessed by individuals and third-party apps on mobile devices is a challenge.
Many organizations use mobile device management (MDM) software to help secure and standardize the configuration of devices on the mobile network. This software can also help organizations maintain an accurate inventory of the devices and the data those devices are allowed to access.
Eight steps to building a secure BYOD program
- Develop a strategy for BYOD with a business case and a goal statement. Build a smart, flexible mobile strategy that allows for exploring innovative ways to empower the workforce and drive greater productivity
- Involve stakeholders in a mobility group. A cross-business mobility group should consist of executives, HR, legal, support, IT and, potentially, representatives of key user groups. The group should consider how various employees will use mobile devices
- Create a support and operations model. An organization should identify and quantify costs and benefits to build the overall business case for BYOD, expose hidden costs and support expansion
- Analyze the risk. Leadership should assess the data stored and processed on mobile devices, as well as the access granted for the devices to corporate resources and apps. It should consider data and privacy laws, international travel and data import/export restrictions
- Develop a BYOD policy. Drafting a flexible but enforceable policy is key to effectively limiting risks. The BYOD policy should outline acceptable use and complement other information security and governance policies
- Secure devices and apps. Implementing an MDM software package will greatly help the organization manage and secure mobile devices
- Test and verify the security of the implementation. Perform security testing and review any implemented software. Assessments should be performed using both automated tools and manual penetration tests
- Measure success, return on investment and roll-forward lessons learned. Measure key performance indicators of the BYOD program, and use them to continually improve the program
Questions for the board to consider
- Has the strategy been communicated to the board?
- What is the company’s mobile strategy and how is its mobile program governed? Are employees allowed to use their own devices for company business?
- How does the company keep corporate data separate from personal data?
- How does the company secure its mobile devices from physical and cyber attacks?
- What does the company do to test apps for vulnerabilities?
- How does the company protect mobile device data from malware?