The consumerization of the enterprise has magnified some long-standing enterprise mobile security concerns, and it's brought in a handful of new ones that are weighing on IT pros and users alike.
Consumerization up-ended corporate mobile device procurement, requiring an overhaul of associated IT policies and processes. But what are the most pressing concerns introduced by users' personal smartphones and tablets? A recent TrendMicro survey (.pdf) of 600 companies with at least 500 employees yielded this list: security risks, data loss, compliance, personal data and privacy. If you're supporting mobile devices or preparing to do so, consider these top five mobile security concerns and find out how to address them.
In the past, IT offered employees only enterprise-ready smartphones that were proven securable, manageable and capable of meeting business needs. Now, IT pros worry that consumer-owned smartphones and tablets aren't capable of supporting existing policies.
But IT can establish acceptance criteria and embrace personal devices that meet requirements for business use, such as device type and OS version. Not comfortable with devices running Android 4.1 or older? Block network, system and data access for those devices. Or, better yet, establish a policy that gives higher-risk devices limited access, such as virtualized interaction with corporate email.
It's undeniable: Mobile devices are often lost or stolen. Devices that you have granted access to business networks, systems and data become a major concern when they fall into the wrong hands. Today, consumer-grade devices have features to address this concern, including passcode locks, data encryption and remote wipe capabilities. Nevertheless, IT may still be concerned about how to enforce the use of these features.
Fortunately, many tools are available to let IT control mobile device lock, encryption and wipe capabilities. At a minimum, employers that grant users access to corporate email from their mobile devices can use Microsoft ActiveSync policies to prevent access from devices without passcodes or encryption, or to send a remote wipe request. Companies with more advanced needs can require workers to enroll their devices in an enterprise mobile device management (MDM) system, automating mobile security policy provisioning and ongoing enforcement.
Even with basic data loss protection, ensuring compliance with broader IT-defined mobile security policies can still be a challenge. Without ongoing monitoring, employees may change passcodes or inactivity timeouts for personal convenience. They may remove other IT-provisioned restrictions, such as re-enabling application installation from unofficial sources. Workers install dozens of third-party applications on their devices, so it is likely that some adware or malware will appear, posing risk to the corporate network, servers or data.
More on mobile security concerns
Mobile security concerns top the list of IT worries
Audio slideshow: Mobile security concerns
Apple iPhone jailbreaking exploit sparks security concerns
Ensuring compliance on users' devices requires visibility into each mobile device's settings, applications and activities. Companies that enroll devices in MDM tools can monitor devices and enforce compliance. For example, many MDM tools can periodically query installed applications to ensure that required applications stay installed and that no applications are carrying malware. When a device becomes non-compliant, MDM tools can take steps to insulate corporate assets; they can display a notification to the user when he tries to remove enterprise applications or use network settings to quarantine the device.
Workers may not object to IT-defined or -enforced mobile security policies, but they may still be concerned about the integrity of their personal photos, music, contacts and applications.
To address this concern, mobility management tools have evolved to better segregate personal and business data on users' personal devices, providing IT tighter control over the safety of business data without endangering personal information. For example, most MDM products now support "enterprise wipe," which removes only MDM-installed settings and applications instead of remotely wiping the entire device. Alternatively, IT may place enterprise data in an authenticated, encrypted data container that can be disabled or removed without requiring workers to give IT remote wipe permission.
Finally, both employers and employees may have reservations about how security measures will interfere with users' personal privacy. Individuals may find some types of ongoing IT monitoring intrusive, such as logging personal communications or off-hours locations.
Some employers address these concerns through written mobile security policies that detail how IT can and cannot use information gathered from mobile devices. A better option is to apply more limited security measures, such as disabling location tracking unless (or until) a device is reported stolen. As a rule, IT should avoid querying or logging users' activity unless there is a defined business need to do so.
As more companies strive to embrace consumerization and accept the bring-your-own-device movement, these steps can help IT departments address today's most pressing mobile security concerns. Over time, devices and needs evolve, and so should each organization's approach to mobile security.