As smartphone and tablet use grows in companies, IT wrestles with how to back up sensitive data that might reside on these platforms. IT can't simply deploy a software agent for full backups as it would with PCs or laptops because of restrictions built into mobile operating systems. Mobile backups are also complicated by the fact that many smartphones and tablets are the property of the employee, not the employer--86% of respondents to InformationWeek's 2012 Mobile Security Survey say they allow or plan to allow employee-owned devices.
Those employee-owned devices are likely to be Apple or Android products. Our survey shows that 46% of respondents allow employee-owned Apple iOS devices to store corporate data, followed by 36% that allow Android 3.x and 4.x devices, and 28% that allow Android 2.x devices.
A feasible mobile backup plan should address both employee- and corporate-owned devices. While IT has more control over devices it deploys to users, many of the backup challenges are the same regardless of whom the device belongs to.
Put It In Writing
Start with well-defined policies that explain IT's responsibilities regarding corporate data on both employee- and IT-owned devices. On the technology front, consider cloud-based storage and synchronization services to back up essential corporate data, and look to mobile device management software that can provide the kind of fine-grained control necessary to enforce company policy on personal devices.
If you let employee-owned devices access company applications or data, make sure your mobile device policy clearly describes the requirements for access. IT's first reaction to the bring-your-own-device phenomenon may be to write separate policies for employee- and company-issued devices. That's the wrong approach, says Michael Finneran, an independent consultant and industry analyst (and InformationWeek contributor). "Our job is to make sure mobile users get access to the stuff they need securely, regardless of who owns the phone," says Finneran. "What level of security is required is defined by the organization, … and what users get access to is defined by their role."
Your policy should be just as clear about where IT's responsibilities lie regarding backups. IT has an obligation to back up company data and to take steps to do so. But IT doesn't have any obligation to protect an employee's personal information, files, applications, and other information, such as photos and videos.
Of course, separating personal and corporate data is really hard. A mobile device can quickly become a hodgepodge of business and private information. For instance, a phone's contact list could have personal and business contacts. Business documents saved as PDFs may be loaded into an e-reader app. Thus, your policy must make it clear that while IT isn't responsible for backing up your MP3 files or vacation photos, some personal data may be intermingled with corporate backups. Your policy must also address remote data wipes for just the same reason--personal data may be destroyed if a device is lost or stolen.
Download the August 2012 InformationWeek digital supplement.