There is a transformation occurring in many workplaces, but despite the hype around current trends such as the consumerisation of IT and bring your own device (BYOD), these are symptoms and not root causes.
At the core is flexibility, choice and mobility. Individuals want to have more of these, and while organisations hope this will bring improvements in productivity, the fear remains; without the tight central control of all things to do with IT, is it all secure?
There are a number of ways to protect against the increased risks, but the ‘inside out’ character of highly distributed and mobile working in organisations also requires a shift in attitudes.
IT departments can no longer just ‘lock everything down’, because technology savvy employees will always find a way around such controls. They have embraced mobile working for its convenience and flexibility, so will not tolerate overly complex tools or strictures. Chief information officers (CIO) and IT Directors should think of their task as no longer ‘caging cats’ or even ‘herding cats’, but ‘luring cats’.
Some IT heads have already adopted a ‘cat luring’ attitude; this includes encouraging their IT departments to adopt best practices such as:
- Assume all mobile devices and data are vulnerable. The flexible and generally more relaxed employee attitude to mobile working means that organisations should start from the assumption that all mobile devices are comprisable and connected to unsecured networks (that includes their use for voice as well as data).
- Establish a ranked information security architecture. Despite elevated mobile risks, not all information is equally sensitive or private. Levels of protection and control should discriminate based on level risk to the business. This is one area where collaboration between the IT and business functions is vital.
- Protect precious data at rest. This is particularly important for data on mobile devices, which can easily be lost or stolen. However, any data held within the organisation should also be treated this way. A stolen device with appropriate credentials could easily access or compromise centrally stored sensitive information.
- Secure tunnels. All access and information on the move should be over a protected and authenticated connection as no matter what networks are in use there is always a risk of being snooped. Some, for example public Wi-Fi hotspots, are more vulnerable than others, such as mobile operator provided cellular networks, but all carry risk and it is not safe to expect that users will make an informed or correct decision about which ones to use.
- Constrain and project. Some services are too important to risk any data ever being left on a mobile device. With a suitable network connection, these are best hosted from inside a secured facility, with access projected to a mobile device. With no client application, when connection is terminated all residual information disappears.
- Partition work and home. Whether it is their own device or corporate issue, employees will always have some personal use whether it is accessing social networks, checking sports results or storing their CV. Ensuring that such use is accommodated, but kept separate from corporate activity, will reduce the risk of ‘crossover’.
- ‘Bait and switch’. There will always be risky consumer applications that employees would like to use – some cloud based storage services being an example, but if the organisation compromises a little, individuals can be won over. Swallow the cost of offering a more employee-desirable device on condition that the safer corporate alternative apps are used. Then enforce with contract conditions and, ideally, supplemented with technology to bar such applications.
Organisations must plan for and adapt to the change in working practice that consumer technologies and BYOD bring, but strategies that fail to encompass the wider workplace transformation issues of mobile working will not deliver on the expected benefits. Worse still, they introduce costs and risks that, with a bit more planning and effort, could have been avoided. Total mobile security cannot be guaranteed, but with the right attitudes from both organisation and individuals, the bar can be raised and the opportunity represented by consumerisation fully embraced.