Going beyond BYOD
We've all heard the stories. The CEO of a global conglomerate goes on holiday with his family and has his device wiped after his three-year-old enters the wrong password one too many times. An errant employee uses his personal device to access corporate information and unwittingly exposes the entire organisation to some sneaky malware. Or perhaps a senior staff member leaves her company-issued laptop in a bar and the password to access the device is '12345'.
Each of these scenarios can have far-reaching consequences. Not only from a loss perspective - losing confidential information, breaking customer trust and affecting revenue - but also from a legal perspective. As legislation like the Protection of Personal Information Act (PoPI) and the General Data Protection Regulation (GDPR) comes into force, situations like these could see organisations facing some pretty heavy fines.
But how do companies protect themselves without limiting employee freedom?
Mobility is nothing new, but it's becoming more complicated, notes Chris Buchanan, client solutions director at Dell EMC South Africa. Mobility solutions have already increased complexity and bring new challenges into the business relating to security, device management, data management and application access. So it's critical that businesses know how mobile technologies can provide the results they're looking for.
According to Craig Nel, cloud platform leader for mobile and cognitive experience at Oracle Middle East, Africa and Turkey, many businesses have embarked on their enterprise mobility journey for the wrong reasons and without serious consideration in terms of the real value this approach can or will add to the business. "Often, we see businesses initiating their enterprise mobility strategy based on what their competitors are doing. This is a mistake," he says. "Hardly ever do these businesses consider the negative impact deploying an enterprise mobility strategy can have on their business. Similarly, they never consider the potential impact of successfully deploying a flawed strategy."
Digitisation of business makes IT infrastructure more complex and blurs the boundaries of the corporate perimeter, says Riaan Badenhorst, GM at Kaspersky Lab Africa. While mobile offices and digital collaboration tools give people the option to work from any location, at any time, they can also be a gateway for cyber threats and fraud. "Balancing risks and rewards is all about putting together a well-thought-out protection strategy," he says.
As everything become more complex, it's critical to find ways to simplify business operations, notes Rodney Daniels, principal consultant at 48Cyber. "We see so many businesses using a wide range of apps to manage and monitor the different areas of their business. This only introduces more management complexities. With the right enterprise mobility management solution in place you can easily deploy security policies down to all devices from a central location and in a controlled manner."
There may not be a one-size-fits all approach, but there are a few important points to be mindful of when developing your security strategy, continues Badenhorst, such as ensuring your protection strategy is multi-layered. This means using overlapping protective solutions, covering different levels of the IT network and making use of a range of technologies that allow your corporate security to dynamically adapt in line with business requirements.
Time to move on
Any discussion around mobile device management inevitably moves to a conversation about 'bring your own device' (BYOD). A policy that was created in about 2009 as personal devices flooded the global workplace; BYOD is the baseline for how to handle all of these new mobile tools. But this isn't to say that BYOD is your only option when it comes to mobile device management.
For Troye MD, Helen Kruger, if you implemented a BYOD policy five years ago, it may be time for a review. "It's critical to consistently review your usage policies and monitor your enterprise mobility implementations to ensure that your security strategy is still sufficient to handle the ever-expanding threat landscape."
If a skilled support team is in charge of your mobile device management platform it's easier to secure management buy-in, which, in turn, promotes employee adoption.Gregory Dellas, CA
Clayton Campbell, CEO, Onsite Group, believes that corporates are better off with a user choice programme, often called CYOD or 'choose your own device'. The company retains ownership of the devices but users have the ability to choose pre-approved devices from a catalogue. This ensures that the organisation can use its tried-and-tested policies and provisioning methods for all of the tools that are being used to access sensitive business information. There's also the 'corporate-owned, personally-enabled' (COPE) option, where the business owns the devices but staff members can still use them for personal calls and activity.
"Ultimately, each 'model' has its pros and cons. It's important that organisations look at the full picture of their employees, costs, practicality and choose an option that best marries their full bucket of needs," says Justin Maier, HMD Global VP for sub-Saharan Africa.
Power to the people
We all know that mobile strategies have a direct impact on productivity, efficiency and market competitiveness. And that mobile organisations are better equipped to react to customer requests. While certain applications should be available anywhere and at all times, employees need clear guidelines around accessing data, using cloud-based services and installing software onto their devices. "People also need to know who holds the user rights on the devices, them or the company, and what the usage permissions are," says Gerrit Olivier, CEO, About IT.
Managing mobility is about managing people. Luckily there are a number of ways to do so.
Create robust device and data management policies. Educate users. Use malware and anti-virus software. Define emergency routines, backups and disaster recovery policies for continuity. Create fall-back systems, says Olivier. Whether it's fingerprint, face or ear recognition, device proximity, location services or voice recognition, combining these safeguards allows a business to embrace mobility without compromising security.
We see businesses initiating their enterprise mobility strategy based on what their competitors are doing. This is a mistake.Craig Nel, Oracle
By activating abnormal usage alerts and ensuring that lost device tracking and data destruction are active and properly set up, you can prevent information from falling into the wrong hands. It's also worth considering the HR implications related to mobility, he continues. These mobility considerations must be included in the contracts that employees sign when starting out at your business. "Employees use equipment, they work with data and information, and, to some extent at least, they too must be responsible for security."
Mobile security success comes down to two things - awareness and maintenance. Awareness is about knowing what devices interact with the business, says Buchanan. This includes employee devices, guest devices and even customer devices. Understanding these interactions dictates how you should segment access to your networks and systems. Awareness is also about educating employees on their responsibilities and the ways their devices could be compromised. Maintenance is about patching devices or, if they can't be patched, restricting their access to parts of the business network, as well as keeping an eye out for malicious apps appearing on devices.
Gregory Dellas, CA Southern Africa pre-sales consultant for security, has found that, in recent years, the success of any enterprise mobility strategy revolves around the skillsets of the team implementing and maintaining technical and policy measures. "If a skilled support team is in charge of your mobile device management platform it's easier to secure management buy-in, which, in turn, promotes employee adoption. Your approach to enterprise mobility must also be compatible with your broader corporate strategy," he adds.
Although it's extremely important that IT managers have central control of devices accessing a corporate network - including device data, security, applications, web activity and data transmission - it's equally important that organisations create a formal device policy that educates staff on security risks and best practices, says Maier.
Brian Timperley, MD of Turrito Networks agrees. "While companies can build systems to protect networks from outside threats, the greatest threat arguably always originates from within," he concludes.
According to a recent global study of consumers conducted by Kaspersky Lab and B2B International, just over a tenth (12%) of employed respondents were fully aware of the IT security policies and rules set out by their employers. Similarly, another study from Kaspersky Lab found that careless personnel contributed to 46% of the cybersecurity incidents that took place within the previous year.
Consistency is key
When talking about user experience, one often thinks about customers. But when it comes to user experience and enterprise mobility - it's all about the employee. If you're allowing staff to work from any location, you need to ensure they have the same experience working outside the office on a mobile device as they would were they working inside the office on a desktop computer. When employees are given the right technology and feel like they're part of a strong digital culture, workers not only feel more productive, but they also have a greater ability to work smarter, says HMD Global's Justin Maier. "Creating a consistent user experience is a journey. It's important to get buy-in from the user and monitor whether your employees are responsive enough to keep up with the demands of an always on environment."
Is a mobile device management solution a must?
For Dell EMC South Africa's Chris Buchanan, mobile device management depends on three things -the size of organisation, budget and appetite for risk. "If you're a small company with only a handful of devices, it's feasible that your tech guy can handle everything on his own. But the more devices there are, the more important it is to invest in a mobile device management solution. As the number of devices increases, it's also easier to justify upping your budget on security because each new device brings with it a fresh set of risks."