Over the past decade, in line with developments in working culture, we’ve seen a monumental rise in the number of mobile devices entering the workplace. Tantamount to the benefits of flexibility and accessibility they provide, they present an increasing risk to the security and privacy of employees and their employers by containing and allowing users to share sensitive proprietary data in inconsistent and unsecure ways. With business continuity, reputations and personal safety at risk, organisations need to develop a better understanding of mobile security and a policy that reflects this.
One of the key sticking points is that employees use their devices for both personal and professional reasons. The average number of applications on a smartphone is estimated at 80, with each serving a purpose that benefits the user’s daily life. They can be used to conduct banking payments, track location and physical activity, communicate, socialise, check the weather or pass time by playing games. From an enterprise standpoint, smartphones allow us to work remotely by connecting us to corporate networks where we can access the data we need. The increased productivity and efficiency these devices bring is the reason so many enterprises are promoting a Bring Your Own Device, BYOD, policy. Research has found as many as 87% of companies expect their employees to use their personal devices for work purposes, a figure that is only going to rise.
This presents enterprises with a problem: how can they seek visibility and uphold security while the employee demands privacy? Clearly, BYOD policies aren’t going away any time soon, so the C-suite needs to bridge this gap between enterprise security and the privacy of its workforce. With the right to individual privacy becoming increasingly important to users, businesses are being forced to change the way they monitor and analyse mobile devices.
From an employee’s perspective, scrolling through WhatsApp or Messenger, or calling a loved one, is part of their everyday routine. Equally, when working, they will regularly use Skype, DropBox and Slack as a way of communicating with colleagues and increasing productivity. While these apps are essential, they also present different security issues when used on mobile devices, and outside the scope of the IT department. Known as Shadow IT, the systems and devices used within organisations without explicit organisational approval increase the possibility of mistakes being made, vulnerabilities being exploited or malicious code going undetected and manifesting within the corporate network. Gartner even predicts the use of Shadow IT will contribute to as much as a third of successful attacks on enterprises by 2020.
To get a handle on this, Enterprise Mobility Management needs to be improved. This might mean the implementation of device-level management on personal-devices. However, a move like this could be viewed by employees as draconian and intrusive. And so, the privacy-security dilemma remains. This has resulted in some organisations seeking alternative, but often less secure, solutions.
Another layer to this dilemma is the requirement to comply with General Data Protection Regulation. While enterprises need to have holistic control and visibility of data in all its forms to do so, it can be extremely difficult if certain endpoint devices accessing data are not corporate-owned. Individuals seek privacy and freedom from their organisation when using their mobile, but also hold, accept and share data relating to their work; blurring the line between activities and information that should be distinct from one another. Moreover, any visibility the enterprise does have of a personal device is lost once it leaves the corporate network.
Unfortunately, there are a number of mobile-related risks that can violate GDPR. For instance, a malicious app leaking data, a threat such as spyware monitoring online activity, apps that can gain extended permissions to access sensitive information, and even network compromises, which lead to man-in-the-middle attacks. However, regardless of the risk or threat that causes a data breach, whether it be employee negligence or malicious intent, the organisation will still be held accountable and fined accordingly. The financial and reputational damages are far too severe for mobile security to be treated any less diligently than the protocol that protects desktops and the employees that use them.
Enterprises want to ensure the corporate perimeter is fully protected but at the same time are challenged with trying to offer the privacy to an ever-expanding mobile workforce. Thankfully, this can be achieved with dedicated advanced mobile security which works together to enable enterprises to protect data from threats and risks present on endpoints. Through continuous conditional access, it enables enterprises to constantly assess device health and allow employees to authenticate to corporate resources over any network. This works across all the organisations’ endpoints while, just as importantly, protecting employee privacy.
By Bahaa Hudairi, Regional Sales Director META, Lookout.