The mobile security dilemma: Can enterprises trust BYOD?

The benefits of BYOD to an enterprise are two-fold: firstly, removing the cost of providing devices for staff, and secondly, encouraging greater uptake of mobile among employees. This in turn (so the theory goes) boosts productivity and knowledge-sharing.

But the reality is more complex. A key problem with BYOD is that it blurs the line between workers’ personal and professional lives on the mobile phone. This overlap is nothing new. Consumerisation has been a well-reported trend in enterprise technology in recent years. Workers want the tools they use at work to be as intelligent, familiar, and easy-to-use as the technology they use at home.

The Digital Workplace

The extension of consumerisation is the so-called 'Digital Workplace' - a Gartner-led concept that promotes the inter-connection between digital communications, collaboration, data-sharing, business applications, and mobility, to enable more agile working and improve staff productivity and satisfaction.

But regardless of BYOD’s merits in terms of staff engagement and productivity, a significant security problem persists. With BYOD, any smart device can become part of the enterprise’s network. But what happens in the event of a device being stolen, lost, or hacked? In a study conducted jointly by Ponemon Institute and Lookout, two thirds of respondents reported a data breach as a result of using their own mobile devices to access company resources.

BYOD's security impact

Confront a CIO with these concerns and many will respond by claiming that smartphone manufacturers are aware of the value of the enterprise market, and so are continually improving and updating their OS security features to stem data breaches and raise confidence in their corporate use. But these improvements are only strong enough for 60-70 per cent of corporate users.

In particular, companies in highly-regulated industries such as financial services and healthcare, as well as larger enterprises, require stronger security than ‘standard’ levels in order to mitigate growing regulatory, privacy and operational risks.

A CIO might also claim that their organisation has in place an appropriate device management solution to address these risks. At its most basic, this solution is a secure container in which all the company’s data and applications sit, encrypted and insulated from any threats from device loss or unauthorised user access attempts. This means that when a device is under threat, the IT team can remotely disable apps and wipe the container if necessary.

But containers and similar solutions typically bring with them productivity problems which cancel out the benefits of BYOD. Some current solutions might only be capable of containing content and apps that IT has specifically installed, Others can cause compatibility issues and obstruct basic device functionality, such as preventing access to a contact list. In both cases, today’s solutions are able to maintain security, compliance and visibility - but too often at the expense of usability and productivity.

Frustratingly, many containers do not allow the integration of business-critical apps within the container with apps outside it. Instead, the solution follows a simplistic 'utility' approach in which the availability of the app is deemed sufficient, while ignoring the need for apps to integrate with other apps to properly improve productivity. This is in direct contrast to workers’ desktop set-up where, for example, Salesforce will integrate with the email client to simplify the management of calendars and appointments. Clearly, this contradicts a key principle of the Digital Workplace - to allow the employee to be mobile without any loss of the capability they have when in the office.

Strengthening and simplifying authentication

But these aren’t the only ways in which standard container solutions compromise productivity. Overbearing security processes degrade ease of use and upset the important balance between usability and security on which mobility depends.

Concerns around security and data breaches are increasing, and the customer response is to strengthen the authentication process - usually by adding extra verification requirements. Entry to a device has evolved beyond entering a name and a single password, and today includes inputting more pieces of information or even a biometric scan. Each addition increases complexity for the end-user, and the likelihood of them losing their access by forgetting an important authentication detail.

In this way, typical multi-factor authentication today is cumbersome, prone to over-complication and undermines usability - and by extension also productivity and even mobility uptake.

Rather than adding more and more 'factors', the alternative is to rely simply on 'sufficient factor authentication' (determined by the compliance requirements of the enterprise itself) and then increase the strength of each one using analytics.

Contextual analytics can detect the proximity of devices to another – such as tablets and phones – and therefore prompt alerts about potential loss or theft. It can also collect data on individual staff members’ usage patterns, which then highlight unfamiliar – and therefore suspicious – use.

Alternatively, an enterprise can replace the addition of extra factors with the integration of secure third parties such as employees’ social media profiles – especially as these are invariably easier for staff to remember.

By using these methods to simplify the day-to-day access requirements, the organisation can achieve a more perfect balance between improving their container solution’s ease of use without surrendering the security of its data.

BYOD does offer opportunities

Today’s enterprise requires reliable and robust mobility systems and tools in order to stay competitive and to also maximise the effectiveness of its workforce. But this in turn requires careful attention to the crucial issue of device and data security in a way that doesn’t sacrifice usability. A more intelligent use of data and more intelligent integration between apps means mobile security and productivity can coexist peacefully, with neither having to compromise their exacting standards.

In this way, rather than weakening an organisation’s security, BYOD can be the route to improving it, and also – finally – boosting staff productivity and effectiveness.

Dave Schuette, EVP & President, Enterprise Business Unit, Synchronoss