It is no coincidence that the rapid expansion of cloud services and the near ubiquitous presence of mobile devices has occurred virtually simultaneously. To me, the two go together like strawberries and cream, peanut butter and jelly, Hot Tamales and popcorn at the movies. There is a synergy to the two technologies that is fueling a communications revolution. But with the convenience of having our data travel with us, comes a price.
When used in the workplace, these wonderful smartphones, tablets, and ultralight laptops require a clear cut mobile policy – one that addresses several key issues and is understood by all employees. Mobile enterprise policy for any sized organization should cover these key areas:
- Device specs
- Mandatory security controls
- Usage and access
- Data access
- Penalties for noncompliance
Mobile Device Specs and Access
At this point, it's safe to say that Bring Your Own Device (BYOD) is not just a fad. A research study commissioned by Logicalis estimates that 44 percent of employees bring their own mobile devices to the workplace. In rapidly growing economies, like Brazil and Russia, the figure is even higher – 75 percent. But the same study also points out that 46 percent of BYOD employees say their IT departments either don’t know, or don’t care, that they use their own devices for work. In other words, almost half have no mobility policy to follow.
An effective mobile device policy should address both BYOD and enterprise-owned devices. Operating systems and support need to be coordinated with the designated devices. Additionally, for enterprise-owned devices, tiers may be established that define access to devices based on job titles, responsibilities and qualifications. For example, higher level employees and supervisors may be issued more advanced tablets or smartphones, while others might be issued a basic model.
Levels of access to applications and mission-critical data need to be established. Controls, such as encryption, code locks, personal identification numbers (PINs), auto lockout, and remote wipe are essential. Close attention should be paid to all BYOD devices used by all employees, including contractors, vendors, consultants, and interns, to ensure that they conform to the mobile policy.
Security is Critical
The enterprise mobile security policy should be clearly spelled out to all employees who use mobile devices for work purposes, both BYOD and corporate-owned. All users should agree to download mobile device management (MDM) applications, if needed. These apps enable the previously mentioned controls, as well as device configuration.
Security details will vary from enterprise to enterprise, but every mobile security policy should include these basics:
- Remote data wiping for lost or stolen devices
- Enforcement of screen locks, secure logins, and passwords
- Effective device-side encryption and antimalware protection
- Remote management of configuration and patches
- Remote tracking and visibility into devices as well as network traffic
Liabilities and Responsibilities
The combination of enterprise owned mobile devices and BYOD raises some important issues that must be clearly explained to all staff members. An organization has the right to monitor mobile activities when a device is connected to its network. However, policies pertaining to each organization should be established that address issues such as accessing workers’ private data on company owned devices, and organizational liability for BYOD devices.
Procedures for handling lost or stolen devices should be known to all employees, as well as the policy regarding the wiping of personal or organizational data if loss or theft occurs.
There are other factors to consider when formulating an enterprise mobility policy. An assessment by your managed services provider (MSP) is the best way to determine the right policy for your business.