Government // Mobile & Wireless
Commentary
5/15/2012
11:40 AM
Art Wittmann
Art Wittmann
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Can IT Be Trusted With Personal Devices?

Mobile device management as a path to security is a fundamentally flawed strategy. You must manage the data.

Most IT teams weren't prepared for the BYOD challenge, and they're not handling it well. This assertion is borne out by our Mobile Security Survey, which shows that security education is still underfunded and underappreciated and that there's an ongoing mismatch between the mobile device management features IT deems to be important and what's in end users' best interests.

To illustrate just how pernicious the wrong BYOD policies can be, here's a hypothetical: A worker decides to buy an iPad so that, among other things, he can record and store pictures and movies of important events. Perhaps he manages to catch his baby's first steps or his daughter's piano recital, or he uses the iPad to store hundreds of family vacation pictures.

Being a good and proactive employee, he brings the iPad into work, to use for sales presentations and such. The IT organization tells him that before he can put any company data on the device, even what's freely available on the company website, it'll need to install some software that will enforce passwords (No. 1 on our list of most critical MDM security functions). The app will also perform remote locking and wiping of the device, offer some malware protection, and deliver security updates (Nos. 2, 3, and 4 on the list).

[ BYOD? Get used to it, says Interop panel. Read more at Mobile OS Proliferation Continues. ]

The software will require password changes every few months, enforce minimum standards for length and complexity, lock the device after a given time, and if too many failed password attempts occur, wipe the device (the top 5 password policies desired by IT pros).

Now, suppose one of the employee's young children plays with the iPad, exceeds the number of failed password attempts, and the device is wiped. No baby's first steps, no piano recital, no pictures from the family vacation. The employee had the best of intentions about iCloud backups but didn't follow through, and needless to say, IT hadn't provided any backup mechanism. The livid employee is left with a blank device and a "Gee, we're sorry about that" from IT.

While technology can play a part in protecting the company while letting employees use their own devices for business purposes, most IT teams are creating an insane set of rules for no apparent reason. That same employee could have emailed the sales presentation, which probably isn't encrypted or password protected, to his Gmail account, uploaded some product shots to Dropbox, and used the device for work without IT's involvement. And there's often incentive for employees to do just that, because IT's policies are onerous at best, and at worst downright counter to the employee's interests. If software can't tell the difference between company data and employee data, it has no place on a personally owned device.

Further, mobile device management as a path to security is a fundamentally flawed strategy. You must manage the data. The data is what the company owns, and it's what the company values. But of course, data management involves user training and classification and some security finesse. For too many IT teams, it's easier to use a blunt instrument.

Global CIO
Global CIOs: A Site Just For You
Visit InformationWeek's Global CIO -- our online community and information resource for CIOs operating in the global economy.

There's a bit of good news in our survey: While only 32% of respondents have had a security awareness program in place for two or more years, 18% have recently added one, and an additional 25% say they'll get one in place in the next 12 months. Plenty of cloud-based backup services can add a layer of protection for both company and personal data; we recently did a roundup of 13 providers.

No doubt users represent a security risk, but they're also your first line of defense--if you take the time to clue them in on best practices. Explain how securing corporate data can help protect them as well; if their smartphone is stolen, they may want to nuke it. But for goodness sake, don't put device-wipe time bombs on their systems unless you want to explain why all of their personal data is gone and that there's nothing they can do to get it back.

At this interactive Enterprise Mobility Virtual Event, experts and solution providers will offer detailed insight into how to bring some order to the mobile industry innovation chaos. When you register, you will gain access to live webcast presentations and virtual booths packed with free resources. It happens May 17.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 3 / 3
BYODpro
50%
50%
BYODpro,
User Rank: Apprentice
5/15/2012 | 7:19:32 PM
re: Can IT Be Trusted With Personal Devices?
I agree that protecting the data is a better strategy than MDM, but MDM isn't all bad. As far as an employee's ipad getting remote wiped and deleting all of the baby pictures...this really needs to be the employees responsibility.

BYODpro.com
<<   <   Page 3 / 3
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and community news at InformationWeek.com.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.