In the quest to harness the business advantages mobile provides, many organizations have opened their networks and data up to mobile devices. What companies are failing to come to grips with is that, in many cases – especially in BYOD scenarios – they are assuming massive risk that could ultimately lead to a damaging, costly breach.
In this era of constant innovation, when the new becomes tradition virtually overnight, businesses need to be agile in order to adapt to the tides of change brought on by technology. The most recent technology innovation that has redefined the workplace is, without a doubt, the mobile device. Employees have embraced the freedom that mobile devices have brought them, and employers have embraced their productivity value.
In the quest to harness the business advantages that mobility provides, many organizations have opened their networks and data up to BYOD, which has taken off with rocket-like speed. Organizations are accepting BYOD into their environments because they need mobile capabilities, and because employees are demanding the ability to manage their lives and work on their device of choice. In some cases, employees are footing the bill, and organizations are simply unaware of effective alternatives.
Many companies jumping on the BYOD bandwagon are failing to realize that in most cases it carries with it control and security issues that could snowball into devastating, costly breaches and compliance violations. These organizations are, in a sense, placing perceived reward well ahead of risk.
However, organizations that want to leverage mobile advantages no longer have to assume the extreme risk that BYOD drives. Today, there are mobile technologies available that enable nimble workforces, allow for centralized control and security, and satisfy their employees’ demand for mobile devices that allow them to work and play – all within the confines of security and compliance.
This is accomplished through Company Owned, Personally Enabled devices (COPE). In the COPE scenario, employers own the mobile devices (for example, laptops, smartphones, and tablets) and issue them to employees, who are allowed to use them for work and personal affairs. Because they are company owned, they provide a high-degree of centralized control and monitoring while allowing employees to install consumerized, personal-use applications.
Within any IT purchasing decision process, cost is always a factor that organizations need to consider. In the case of BYOD vs. COPE, decision-makers need to take a “long-term cost vs. benefit” view.
Although implementing a mobile strategy based on COPE devices is initially more costly than allowing BYOD, dealing with a security breach that interrupts production will ultimately cost an organization more than an initial investment in company-owned, company-controlled devices. This is an assertion supported by data, including the most recent Ponemon Cost of a Data Breach Study that pegs the average organizational cost of a data breach at $5.5 million. With COPE devices, IT can ensure that certain precautions are in place, such as drive encryption or anti-malware software.
With BYOD a costly breach is inevitable. Employees using their own devices for work are accessing applications, storing passwords, downloading corporate data, taking pictures, and sending and receiving text messages and emails that can potentially involve sensitive corporate materials — all outside of the control and visibility of their employers’ security teams. How is an IT department supposed to control its environment when it has no idea who is accessing what and when? Quite simply it can’t, which is why BYOD has “out of IT’s control” written all over it. And when a situation gets out of IT’s control, disaster is sure to strike.
The bottom line is that, if your organization wants to take full advantage of mobile, satisfy employees’ desires for personal-use devices, and protect itself against insider threats, it should authorize only devices that allow IT to exert central control and monitoring.
If your organization has recognized a need for mobile and security and compliance concerns are a high priority, when shopping for devices MAKE SURE these four baseline features are available:
1. Centralized control, configuration and management
2. Interoperation with software that monitors employee activities and provides real-time alerts for risky behaviors
3. Records of websites visited, emails and chat sessions and applications accessed
4. Digital, video-like playback of all activities that take place
There are certainly additional points you will want to consider when choosing mobile devices for your environment, but these four are a good starting point. With effectively controlled mobile devices, more and more possibilities open up. A company can reach a point where it can mobilize an entire workforce, making employees as agile as possible while still being able to COPE with security and compliance.
