With the advent of shared workspaces and flexible working, employees are shunning their traditional desks— choosing instead, to move freely between desks, meeting rooms and breakout areas. The rise of the third place, social spaces that bridge the gap between the traditional home and work environments, highlights that this preference for fluid, co-working space is not just a phase. A recent report found that 71 per cent of workers described feeling more creative since joining a co-working space, and 62 per cent said their work had improved.
Bring-Your-Own-Device (BYOD) initiatives are often a part of open co-working spaces, owing to the portability of these devices and the seamless transition between home and work, leading to the increasingly blurring line between personal and business productivity apps. The familiarity and comfort of merging personal and business productivity apps lies in its user interface – the creation of a one-stop shop that allows an individual to maintain the same level of connectivity between home, and the increasingly domestic workplace. Now, how exactly does this fit into cybersecurity?
Cybersecurity in the age of BYOD
Merging personal and business apps on a device seems ingenuous enough on the part of an employee – the ease of access to both work-related documents and personal documents on a single device offers an unprecedented level of convenience and work-life integration. However, with all of its pros, comes one main caveat; the security of the data that the employee is privy to can be compromised as a result of BYOD.
BYOD, despite its increasing popularity in recent years, remains the Wild West of cybersecurity. Given the ubiquity and relative insecurity of mobile devices in the workplace, it’s no surprise that criminals are targeting them. Here’s an unnerving thought: threat actors can gain access to both corporate data and personal data from one easy-to-breach device.
Productivity vs security
Both productivity and security are both massively important to an organisation. As far as BYOD is concerned, however, it may seem that the two are working against each other. Should an enterprise risk expensive, reputation-crushing data breaches for the sake of seamless home-to-office work management tools that, according to a Frost and Sullivan study of 500 managers and executives, increased productivity by 34 per cent?
Finding the sweet-spot between productivity and security is necessary for enterprises rolling out a BYOD programme. With a zero trust, password-less strategy, finding a middle ground that is sustainable for a business of any size is very achievable.
The zero trust concept
Zero trust is the mindset that an organisation should not automatically trust anything, both inside and outside of its perimeter. It assumes the worst - that everything is compromised - and thus requires anyone and everyone attempting to connect to an organisation's network to be verified. It is a reflection of the unmanaged, post-perimeter, computing environment we find ourselves in today.
The challenge for IT and CISOs is to actually establish trust in this “zero trust” world. Previous methods of identifying insider threats must now be supplemented with well thought-out trust models, which in turn must be supported by a dynamic policy framework including multiple security signals to continuously assess who can access corporate data. With this strategy, risk of a breach through employee devices are drastically minimised.
Who to trust?
Even after implementing a mobile security solution, the question still remains over who should be trusted, and at what level. There is no one-size-fits-all answer for this, but a helpful analogy to solve this problem is to think of trust as a ladder. As you climb higher up the ladder, the level of trust in the user increases, and along with it, the confidence you have in providing them access to data.
In an ideal world, you will have established full trust at the endpoint (OS, device, app, location), full trust in the user, and full trust in the network used to transfer the data. This scenario would mean that users could be granted full access to all confidential company data with a fantastic user experience.
As you move down the trust ladder, additional security measures may be required to ensure the user trying to access data can be trusted. This decision is dynamic. Business needs will change, the apps and modes of accessing data will change, and the level of trust afforded to each individual employee will change. But as long as your trust model is “adaptable by design”, then there is no reason why you can’t establish total trust in what was before a zero-trust environment.
In an ideal world, the idea of apps for business and personal productivity seamlessly merged on an employees’ own devices should not instil fear in corporate leaders who are wary of data security. At this point however, cybersecurity still remains one of BYOD’s main caveats. This is set to change as the cybersecurity space continues to mature with the development of strategies such as zero trust.
Brian Foster, SVP of Product Management, MobileIron