I recently read Verizon’s 2014 Data Breach Investigations Report which investigated 63,437 confirmed security incidents including 1,367 confirmed data breaches across 50 organizations in 95 countries. The public sector had the highest number of security incidents, whereas the finance industry had the highest number of confirmed data breach incidents (no surprise there!). These security incidents were mostly one of the following:
- POS Intrusions
- Web App Attacks
- Physical Theft/Loss
- Miscellaneous Errors
- Card Skimmers
- Cyber Espionage
- DoS Attacks
Given your industry and the size of your company, some of these may not matter to you (until they happen to you). But there are three types of security incidents that are universally applicable, especially in this age of exploding adoption of mobile devices. They are Insider Misuse, Physical Theft/Loss and Miscellaneous Errors. It just takes a single lapse in security measures for an organization, whether public, private or government, to end up in a story like this:
Further elaborating on the “Insider Misuse” threat, the Verizon report adds that over 70 percent of IP theft cases occur within a month of an employee announcing their resignation. Such departing employees mostly steal customer data and internal financial information. This has been made easier for these employees by permitting them to use their personal devices, which walk out with them when they leave.
In one of my previous posts I spoke about the rapid rise of mobile and how IT management needs to go mobile to keep up. Historically, before iPhones and Androids, IT admin staff maintained draconian control over mobile devices. Today, to address the threat of data breach/data leak through mobile devices, you have to adopt pre-emptive, as well as preventive measures. The pre-emptive measure is the aforementioned control of the mobile devices, limiting the device capabilities available to the user. You do everything to pre-empt the possibility of the data leaving the corporate boundaries. But with employees demanding to use personal devices, that is no longer easy and foolproof. Besides, end-users always find a way to make things easy for themselves on their phones, compromising the IT admin’s control. You, therefore, need preventive measures as well to protect data when your users favor personal convenience over corporate data security. In this situation, you focus on managing the data not the device. Look back at the security incidents discussed above – what worries you more? Losing/compromising the devices or the data on those devices? Exactly!
Monitoring mobile devices, especially employees’ personal devices, is a balancing act. Surely, you may need to enforce certain device capabilities like Pin Lock and pushing configuration profiles. But as long as the philosophy driving these controls is to “manage data not devices”, IT admins can strike the happy balance between corporate data protection and employee’s personal freedom. This means setting controls from the point of view of protecting corporate data only, which may not require remote device wipe or disabling device features/capability. But data needs be managed more granularly than just controlling the entry into the phone.
Data security on mobile devices has to persist throughout the lifecycle of the data – while at rest on the phone, as well as during transmission. It also needs segregation/isolation of the enterprise data from the rest of the data on the phone. This enables admins to have selective yet complete control of the corporate data/file/emails without touching any other data on the phone. To prevent data breach at any stage, data should be protected with military grade encryption and security protocols. Additionally, allowing mobile devices to access corporate data must have minimum to no change to your firewall. It is always a bad idea to configure your firewall to accommodate connections from mobile devices, whose usage scenarios cannot be defined exhaustively.
The Kaseya BYOD solution implements secured encrypted container apps to allow users to access corporate docs, mail and applications on their personal mobile devices. The containerization approach gives IT admins complete control of wiping the data when the device is lost or if the employee leaves the company, without impacting the personal data on the phone. The solution implements security protocols with AES-256 encryption, complies with industry privacy standards (FINRA, FIPS 140-2, HIPAA), and requires virtually no modification to the corporate firewall. The solution also prevents opening, copying/pasting and saving of corporate data/files/emails outside the containerized apps.
In summary, IT is losing control over what mobile devices can be used to access corporate data/applications. Draconian controls are pre-emptive measures that are met with resistance and are not foolproof by themselves. It’s time to focus on managing the data and not the device. A mobility management solution that has security as its cornerstone will enable IT admins to remain in complete control of corporate assets on personal devices, while giving employees complete freedom of to use their personal devices. This seems like the optimal way to achieve work/life integration on a single device for both the organization and the user.
Author: Varun Taware