BYOD Should Begin with Business Case
Despite the risks of not making security policies central to enterprise BYOD and mobility programs, many organizations are ignoring this best practice.
With any new technology, enterprise IT organizations tend to deploy first, introduce policies later. This policy-as-an-afterthought approach is always problematic, but the potential for trouble is especially high when employees use their personal mobile devices for work purposes.
For example, a recent Jupiter survey found that more than 80 percent of smartphones are not protected against malware. Jupiter also noted that the BYOD (bring your own device) trend is making it tough for enterprises to maintain a holistic perspective on mobile security. Enterprises had a much easier time locking down mobile devices when all employees carried the same, company-issued device, often a BlackBerry.
But the mobile security landscape has changed, thanks to the proliferation of mobile devices and applications, most of which can be purchased from an app store and downloaded directly to a device.
"The threats are increasing in severity, frequency and complexity," said Justin Greis, senior manager in EY’s Information Technology Advisory Practice. "And as the boundaries of organizations expand, threats have new places to hit. So unless you bake security and policy in from the beginning, it makes it hard to rein in the data."
BYOD Business Case
Making security policy more central to enterprise mobility programs is a key takeaway of an EY report called Bring Your Own Device: Security and Risk Considerations for Your Mobile Device Program. Unfortunately, it's a best practice that is often ignored, Greis said.
A good security policy starts with a solid business case and a strategy plan for mobile technology, said David Nichols, IT transformation leader, EY Americas. A surprising number of organizations skip this step, even though it can lead to added hassle and expense.
"If you just react to mobile devices and applications without some level of strategy in place, you could end up with misaligned technology, policy and vendors that cannot even help you enforce your policies," Nichols said.
Once a strategy is in place, organizations should create a mobility group (or “center of excellence”) comprised of stakeholders from across the business, EY suggests. Greis said the group can "start to paint the picture for the future" by developing robust use cases and serve as a driver for innovation.
"You start with the idea that nothing is off the table. If you just plan to hook into a productivity suite, you may be really missing the boat. You may find out your sales team can benefit from real-time quotes or accounting has ideas for improving invoicing," he said.
Many organizations appear to be sticking largely to common productivity apps like email. A recent Vanson Bourne survey found that few organizations are offering mobile access to enterprise applications like CRM and ERP, even though 87 percent of CIOs feel employees would benefit from such access.
Mobile for the Masses
Executives and key user groups should be represented in the mobility group, along with representatives from human resources, legal and IT functions. "After you determine what you want to do, you need to determine how to secure it," Greis said. "It's important to have legal, compliance and IT at the table right from the beginning so they aren't the bad guys. They want to be viewed not as the people who say 'no we can't do something' but as the people who say 'how can we make it happen.'"
On a practical note, Nichols said, "If you don't include these groups from the beginning, they will slow you down when it comes to implementation."
After creating a strategy for BYOD and forming a mobility group, EY recommends creating a support and operations model. This is a key step in moving from the idea phase to implementation, Greis said, and will help ensure the mobility program is sustainable.
An operations model should address such questions as: How do we track and measure the program to make sure it is serving the needs of the business? How do we operate such controls as ensuring people are able to get the right mobile access at the right time, and removing mobile access when users leave the organization?
Greis also advised creating a dedicated mobile management group to oversee the operations model. "It's important to have a dedicated set of resources devoted to supporting and injecting innovation into your mobile strategy," he said. "They are the ones responsible for sustaining the mobile program. They can assess what can be done to improve the program and how other processes might be migrated to the mobile environment."
Risk analysis is a key part of a mobility program, Greis said, and must be an ongoing effort involving representatives from an organization's security, compliance and legal functions. "Your organizational risk profile may change when you add new functions or areas to a mobility program. You need to understand the threat vectors and the controls needed to counter these threats."
And he added, "While you are doing that, it gives you the opportunity to educate users about the new risks they will face in a ever-growing mobile world."
Ann All is the editor of eSecurity Planet and Enterprise Apps Today. She has covered business and technology for more than a decade, writing about everything from business intelligence to virtualization.