From beaches to breaches: Protecting the data in your pocket

If you’re not a workaholic yourself, you probably know one. The employee whose phone is like an extra limb, the holiday-goer who brings their laptop poolside, the email from a colleague sent on a Sunday afternoon. These days, truly leaving work at the office is difficult, if not impossible, with the advent of mobile phones, tablets, and the pervasive ‘always on’ mentality. 

Today’s employees demand flexibility in terms of where and when they work and want a choice over the tools they use. This is, in part, due to the connectivity and ease of use we have with our devices outside of work. Smart devices like iPads and mobile phones, for example, help us to stay connected wherever we are, whether in an airport, at the office, or on the sofa at home. The bring-your-own-device (BYOD) trend, where employees use their personal devices to access corporate data, is a reaction to this escalation in demand for flexibility. Companies have a clear incentive to enable new workflows – after all, connected employees are often the most productive employees. 

But while the BYOD phenomenon has accelerated productivity and led to greater overall employee satisfaction, it has also opened up a Pandora’s Box of security and privacy headaches for IT teams. When an employee leaves the corporate network behind and accesses corporate email, data and files directly from their unsecured device, their organisation loses its traditional ability to protect corporate data like it would within the network. All up, our personal phones and laptops’ weak security defences, combined with the forces driving the BYOD trend, put sensitive company data at risk.

Moreover, outside of work, IT teams have no visibility into employee activity when files are downloaded to a personal mobile device. These IT teams, ultimately responsible for corporate data security and tasked with limiting unauthorised access, can’t see where data is being shared, whether a device has been infected with malware, or if an employee has uploaded sensitive information to a risky online app. By using our personal mobile devices to communicate with colleagues, access emails, or download a document, we’re exposing the organisation to a great deal of risk. 

or employees who work from home, travel for business, and need mobile access to corporate data, restrictions around the use of BYOD can be incredibly counterproductive and frustrating. In today’s day and age, employees expect to work the way they want, with access to corporate email, calendar, and other essential work information from anywhere, at any time, on their personal mobile device. Most businesses realise the need for mobility and understand that to fight the trend is a losing battle. A seamless working environment is now a prerequisite in today’s corporate world. 

Stuck between a rock and a hard place

In a bid to gain control of data once it has left the corporate network, some companies have turned to mobile device management (MDM) and mobile application management (MAM) software. These invasive security tools monitor and manage your personal devices in an effort to protect data by installing a software agent on the endpoint.

Many workers, naturally, are hesitant to allow that level of control. MDM solutions, for example, allow employers to remotely wipe all of the data on your phone if they think company information is at risk, including personal photos, apps, web history and text messages. MDM can also pinpoint user’s locations through their mobiles’ GPS, without the user knowing. 

A recent study on BYOD security found that a mere 44 per cent of employees would be happy to have MDM or MAM installed on their personal devices. The report also found that the majority of employees choose not to enrol in employer BYOD programs that require these device management tools because of privacy concerns, such as access to browsing history and location tracking capabilities for example. 

Overall, employee privacy has been a significant issue in more than one out of three organisations deploying MDM/MAM solutions for BYOD programs. End users are challenging, and even rejecting, traditional MDM solutions because they fear their employer’s ability to access, alter or delete personal data stored on their mobile devices.

IT teams who employ these traditional MDM-type solutions are stuck between a rock and a hard place. Either they see and control too much of their employees’ daily activity, or have no visibility at all. They don’t want to be thrown into the realms of shadow IT but understand that employees might reject an invasive solution – or, at the least, feel unsatisfied by it’s introduction. Luckily there is a way forward. There is a balance that can be struck between mobility, privacy, and security. 

The vast majority of employees – 67 per cent – said they would be willing to participate in BYOD programs if their employers had the ability to protect corporate data but could not view, alter or delete their personal information, photos or applications. Instead of tracking all activity, companies should focus on a solution that solely tracks corporate data. Instead of controlling every aspect of a mobile phone, they should limit access from risky devices and destinations. This means that the user experience is untainted without impacting the security of a corporation’s sensitive data. 

This type of solution is known as ‘agentless’. ‘Agentless’ BYOD solutions are quickly gaining adoption in the enterprise, with Gartner predicting that by 2018, “more than half of all bring your own device (BYOD) users that currently have an MDM agent will be managed by an agentless solution.” Unlike the MDM/MAM alternative, ‘agentless’ solutions do not install any software on employee devices, and only monitor corporate data.   

Ultimately, BYOD is not going away any time soon. But it is definitely undergoing a metamorphosis as user behaviour and expectations about privacy change. Understandably, organisations can’t sacrifice security for mobility. That said, where it’s possible to improve both – to better protect data while still enabling employee flexibility – IT leaders should make that change. Employees should be able to work when and where they want to – be it by the beach or on a Saturday night – without feeling like their privacy has been compromised. 

Anurag Kahol, CTO, Bitglass
Image Credit: Eugenio Marongiu / Shutterstock