The blinding spotlight of negative publicity has hit the once high-flying Facebook hard this year. Revelation after revelation on how Facebook’s personal data on millions of users was harvested, manipulated and used for nefarious purposes has put the company on the defensive and cost its shareholders dearly.
Facebook’s troubles illustrate the importance of enterprise data security. While most if not all IT executives regard data security as a top concern, they are also focused on productivity and cost-cutting, which can often conflict with security.
A new report from Verizon indicates that organisations across numerous industries compromise their mobile data security because of speed to market priorities and a lack of threat awareness. Verizon’s survey of more than 600 professionals found:
- Nearly a third (32 per cent) of organisations sacrifice mobile security to improve business performance.
- 93 per cent of organisations agreed that mobile devices present a serious and growing security threat, and 20 per cent cite IoT devices their most significant concern.
- 79 per cent said that disruption of their business operations is an even greater threat than the theft of data.
- Only 31 per cent are using Mobile Device Management (MDM) or Enterprise Mobility Management (EMM).
Time will tell if the Facebook experience changes the attitudes identified in the Verizon survey. But the fact remains that as more end-users use their mobile devices as their sole business tool, the more organisations need to make sure they are secure.
There is a direct correlation between workloads and security threats – as one goes up, the other follows -- whether from outsiders looking for the biggest (and least protected) bang for their buck, or from insiders who either intentionally or unknowingly put the enterprise data at risk.
Keys to enterprise data security remain
The two keys enterprise data security remain foundational: 1) Executive buy-in and leadership for any mobile security procedure and 2) employee training. Without these two – it doesn’t matter what tools and solutions an organisation throws at the problem – because it will be ignored or improperly configured with non-existent day-to-day management.
So, in general, the ‘what to do’ part of this story may sound familiar. The Facebook thing is just another example of why the below security measures are important, and it is time to stop ignoring them before it’s too late.
Here are some tried and true best practices for data security management:
- Get key C-suites in on the development (CFO, CISO and CTO). In our experience, this is key to having a successful launch of any mobile security policy. We have seen companies thoughtfully build out a mobile security policy plan, and yet fail to execute because they don’t have backing from the C-Suites. Mobile Security needs to be carefully balanced with usability on a mobile device to empower employees. Where we see a fairly stringent policy going into place, we sometimes recommend building out a second “VIP” mobile policy that is a little less restrictive to keep company executives happy.
- Make sure that the policy isn’t platform-specific but broader so that it can be flexible. We recommend crafting a mobile security policy that can be applied universally, or at least as much as the platforms allow. Employees in an organisation will talk, and it’s important that functionality on their device types remain consistent across the board.
Integrating Apple DEP and Samsung Knox
- Many organisations are leveraging the additional security offered by combining Apple’s Device Enrollment Platform (DEP) with their EMM platforms. We are also seeing a recent uptick in requests for the same with Android. And others are working to integrate Samsung Knox into their environments. (These programs lock down devices but are not always as flexible as an end user might like.)
- IT executives should assess their existing infrastructure to identify all possible points of access. Everything from secured WiFi with authentication to guest WiFi and even VPNs should be considered. Understanding those points of entry into a network and what they subsequently provide access to is critical to shaping mobile device security.
- Organisations should deploy company mail and documents (as well as document repository access) exclusively through the EMM. Bringing in DEP or Knox (or the new “Android Enterprise Recommended”) also allows for supervision and more restrictions on corporate devices, allowing for better mitigation of compromised and non-compliant devices. Essentially, the logic is “if you aren’t enrolled and in good standing, you’re not getting to the data you want.”
Managing internal and enterprise apps
- Internal/enterprise apps can be managed from version to version, allowing for testing and validation of new versions prior to deployment. That way, buggy or possibly compromised apps don’t get pushed to enrolled devices and interrupt the end user experience. Mobile OS updates can also be managed to some extent through an EMM, with the approach being the same as pushing out new versions of internal apps: test and validate, then deploy when everything passes security and stability standards.
- At a minimum, EMM compliance policies and enforcement of those policies (not just alerting) can ensure that enrolled devices are accessing company resources in a safe and manageable way. Adding in ActiveSync blocking allows for greater control over access to mobile mail, essentially layering compliance policies on top of ActiveSync access to ensure that enrolled and compliant devices can access mail while non-compliant devices are blocked.
Any or all of these practices will enhance enterprise data security, but these efforts could be for naught if employees are not educated on the importance of security policies and procedures. With employee turnover a never-ending process, a thorough, ongoing employee education program is a must.
Craig Riegelhaupt, Senior Director of Product Marketing, Tangoe
Image Credit: The Digital Artist / Pixabay