Heading off the spectre of GDPR compliance with secure BYOD

Our love affair with technology has led to powerful mobile devices becoming part of everyday professional life. They are great tools for work, driving productivity and enabling flexibility. But as many organisations have discovered smartphones also blur the boundaries between the working day and out of hours use.

With the General Data Protection Regulation (GDPR) set to take effect in May 2018 many organisations are looking at potential vulnerabilities where sensitive data could be lost or exploited. And of-course from the perspective of Bring Your Own Device (BYOD) there are major concerns around the transfer of data between the cloud and devices.

BYOD is now the expected norm for the majority of employees, so organisations need to keep this in mind if they want to attract and keep top talent. Meanwhile, not having a BYOD policy doesn't necessarily stop people bringing personal devices to work, but it certainly does stop organisations from having any visibility of what's happening with the data on those devices. Organisations shouldn't be scared of BYOD, on the contrary, there are many advantages once the right policy is in place.

It’s not an issue that can be side stepped. Ask your average CIO and they would guess that enterprises have something like 30 to 40 cloud apps running, but in reality, this figure is likely to much higher given that employees also download unofficial apps.

Commonly unauthorised 

A typical employee now downloads corporate data from Office 365, Salesforce.com or some other cloud service onto their personal iPhone or Android and often files are then saved to personal unauthorised services such as Dropbox.

As a result, there is a danger of data being leaked and with the advent of GDPR just around the corner this is surely a concern for those in charge of data security and privacy. Do they really know where all their corporate data is or which mobile devices it is sitting on? Do they know who is downloading it and is corporate data being accessed from unauthorised devices?

And what happens if an iPhone is left in the back of a taxi after an evening of jolly revelry, or a smartphone is plucked from a bag or a coat by a professional pickpocket working city centre bars or a device is simply lost? It happens, frequently and it is a massive danger to company data.

Small devices, big thefts

In 2016, almost half a million people (446,000) in the UK had their phones stolen. These figures were extrapolated from the Office for National Statistics Annual Crime Survey for England and Wales which surveys 30,000 people annually to track trends in crime.

The company that came up with the figures, a mobile device insurer, clearly has an agenda but the figures do stack up when compared to other sources. For instance, more than 742,000 phones were stolen in England and Wales in 2013 and 2014, according to a report by the UK government’s Behavioural Insights Team. That’s about 2,000 a day.

Many thieves probably wouldn’t recognise the value of corporate data but some will. By definition most corporate data is sensitive and more so when it relates to customers. Under the GDPR mandates, simply having data exposed not only risks severe reputational damage but the threat of significant punitive fines.

Three vital steps

Take a law firm for example. Its attorneys make extensive use of mobile devices to access legal documents when in court rooms or at client locations. If a device is lost or stolen the consequences could certainly be severe, not only for the firm but also its customers.

To secure corporate data that is downloaded to mobile devices three steps are required:

·         Discover who is accessing cloud services and from which devices and apps
·         Lock down the data in those apps and devices
·         Monitor and analyse the apps and devices for compliance

This is essentially a layered approach which incorporates a number of elements such as device authentication, data encryption and the ability to remotely wipe data if a device is lost or stolen.

Blocking attack vectors

Securing mobile devices accessing cloud services should also include other elements of security like monitoring data sharing; secure operating system architectures and managing application lifecycles so there are no out dated applications running.

These not only safeguard against device loss or theft but also defend against other threat vectors such as always-on connectivity, software vulnerabilities, untrusted public Wi-Fi networks, Wi-Fi sniffing tools and sophisticated man-in-the-middle attacks.

At the same time also protect against employees jail-breaking devices, downloading cloud-based apps that aren’t approved and even guard against rogue employees attempting to access business data for nefarious purposes.

Keeping it simple

Security should however not come at a cost to the end-user experience. This is key as end-users access applications from the small screens of their powerful mobile devices. Ask a user to login multiple times with a complex enterprise password and they are sure to get locked out and call your helpdesk. Or worse, stop using the applications and suffer a loss of productivity. From an end-user’s perspective there should be little change in what they can do with their device other than only use authorised apps and services.  Importantly it should be also easy to use their devices irrespective of how many cloud-based apps they are running.

Providing a secure single sign-on experience will allow them to only  sign-on once and not for each app. This keeps it’s simple and ensures users won’t attempt to circumvent controls out of frustration. From an IT perspective it brings a sense of control and security and helps meet GDPR requirements, by identifying areas of risk such as unauthorised users, apps, and devices and blocks them, securely locking down cloud-based apps and data.

Vijay Pawar, Sr. Director Product Management, MobileIron
Image source: Shutterstock/Rawpixel