SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
The BYOD juggling act: balancing security, privacy and mobility
Thu, 5th Dec 2019
FYI, this story is more than a year old

The productivity benefits of enabling cloud and mobile, along with the expectations of today's modern employees, means that the majority of organisations now offer a BYOD and remote working policy.

Yet despite the benefits, personal devices in the corporate setting create something of a headache for enterprise IT teams.

Left unmanaged, personal devices and unmanaged cloud applications can lead to data loss, but if managed too strictly, the IT team risks a backlash from unhappy employees who feel their privacy and right to mobile working is being invaded.

Ban BYOD altogether, and the company loses the productivity benefits of a more mobile workforce.

IT teams find themselves in something of a circus act – trying to juggle the various needs of the business, without dropping one of the balls.

Mobility, privacy and security are, to different business stakeholders, equally important.

So, how can the IT team strike the perfect balance between all three?

Security

IT teams need to protect corporate data on mobile devices to limit data breaches and to comply with data protection regulations.

In a bid to secure these devices, many look at installing mobile device management or mobile application management software on personal devices.

Because this involves installing software agents on employee phones and tablets, effectively it gives IT teams control overall traffic to and from the device.

Whilst this approach gives IT teams a handle on BYOD security, it destabilises the BYOD balancing act because it doesn't consider employee privacy – as well as being a logistical headache.

By placing a software agent on every employee's personal device, all activity is forced through the corporate network.

It allows IT to keep an eye on corporate data, thus improving security, but also means that users' private banking activity, social networking and a whole host of irrelevant information is also proxied via the corporate network.

This approach can lead to unhappy employees, who feel their personal information could be snooped on by unscrupulous IT staff.

Privacy

People are becoming increasingly concerned about the extent to which their privacy is being diluted by online activities.

With data breaches in the news and regulations like GDPR emerging that have been created to help give power back to the people, it's not surprising that privacy is a concern.

Indeed, a Bitglass study found that more than half of employees choose not to participate in their company's personal device program because of privacy fears.

Due to time pressures and the proliferation of smart devices, employees expect to be able to work when and where they want.

However, if employees feel that a BYOD programme puts their privacy at risk, they might go as far as to work around the IT team and access corporate information without its knowledge and consent.

This avenue forsakes security in favour of privacy, as IT loses visibility into how corporate data is being used and its ability to protect it.

Mobility

Left discouraged that they can either see too much or too little when it comes to BYOD, some IT teams might choose to ban BYOD programmes altogether – solving their security and privacy infringement woes.

But this method makes the organisation take a step back rather than forward because it hinders mobility.

Employees appreciate and value organisations that allow them to work when and where they want.

Deloitte found that workers with access to flexible IT policies were happier than their counterparts with non-flexible conditions.

Limiting access to corporate files to just the company building also inhibits productivity.

A recent study by Regus found that 74% of managers believe that flexible working is the key to workplace productivity.

How to balance it all?

IT managers might feel that it's inevitable that one of these factors has to be sacrificed for the others.

They can either control too much of employees' daily activity, too little, or have no procedure in place at all.

Thankfully, there is a way to balance all three requirements.

Instead of controlling every aspect of a personal mobile phone, IT could limit access from risky devices and destinations.

IT teams don't have to place a software agent on personal devices at all.

Rather than focusing on protecting the device, IT teams should look for solutions that protect data – no matter where it travels. These solutions use proxy technologies, rather than software, meaning that they are ‘agentless'.

In practice, agentless security means that the rollout time is much faster and users do not need to be concerned about privacy, because their employer can only see their corporate activities.

These solutions can still offer all common security functions, including data loss prevention and remote wiping of company data – but without forsaking mobility or privacy.

Mobility, privacy and security are in many ways equally important.

To please employees, keep the C-suite happy and corporate data secure, IT teams need to turn their attention away from securing the employee-owned device or applications, to securing their sensitive corporate data.

This way, they can create a BYOD and remote working strategy that allows them to balance all three of these important components successfully.