Without question, one of the most important trends in IT during the past few years has been the shift to mobile computing – the use of smartphones and tablets to access business email, to read and edit corporate documents, to access corporate applications, and to communicate and collaborate with others in real time. In fact, Osterman Research has found that 33% of the typical information worker’s time is spent doing work on a mobile device, and 42% of work-related content is accessed via mobile devices, while 31% of content is created on mobile devices.
THE BASIC, PHYSICAL RISKS OF MOBILE DEVICES
For all intents and purposes, a smartphone is a tool that employees can use to access corporate data like email and SharePoint documents completely outside the control or management of the corporate IT department. The result is an enormous increase in the risk that organizations face in four different ways:
- Numerous studies have found that tens of thousands of mobile devices are stolen or misplaced every year. Most users of these devices have not encrypted the data these devices contain, making their content easily accessible to unauthorized parties. Osterman Research has found that not all mobile devices can be remotely wiped if they’re lost or stolen, even some devices that are provided to users by their employer.
- Many users will access non-secure Wi-Fi networks at coffee shops, airports and other locations where data can easily be intercepted by cybercriminals.
- A growing proportion of mobile devices are owned by employees, giving corporate IT even less control over the devices and their content.
- Many users will inadvertently download unsafe apps, including “copycat” apps that mimic their bona fide counterparts, all of which can result in serious security breaches by exfiltrating data from mobile devices or capturing sensitive data.
MOBILITY MAKES DATA LESS SECURE
Mobile devices simultaneously make users more productive and organizations more efficient, while at the same time dramatically increasing the risk of a corporate security breach, resulting in a growing security nightmare for IT organizations. Consider:
- The vast majority of work-related use of mobile devices is to access corporate email (Osterman Research has found that 97% of users access corporate email from their mobile device). While this makes users more efficient by enabling them to respond any time from anywhere, most mobile devices are not encrypted, leaving sensitive and confidential email and attachments accessible to unauthorized parties in the event a mobile device is lost.
- Remote users must have access to all of their files and so will often deploy a consumer-focused file sync and share capability to have ready access to this content. These tools typically work as advertised, but their use of cloud repositories that are outside the control of corporate IT can render an organization unable to satisfy its compliance and legal obligations for retention and production of data. Moreover, most or all of this data is typically not encrypted on the device itself, making it accessible to anyone if a mobile device is lost.
- Users often need to access corporate applications like SharePoint or CRM data, but normally do so without any sort of security capabilities that will render the data inaccessible to unauthorized parties.
- Users who employ an email or other content classification system on their desktop computer normally do not have this capability on their mobile devices. This leaves a significant gap in these users’ ability to properly classify email given the growing proportion of email that is accessed and created on mobile devices.
WHAT SHOULD YOU DO?
First and foremost, Osterman Research does not recommend that organizations in any way limit the use of mobile devices for the simple reason that they make users more productive and are an integral component of telework and other remote work programs. Moreover, we do not recommend limiting users to a specific set of “approved” apps, since this will limit users’ productivity and most users will just download any apps that they want anyway.
Instead, we recommend that organizations allow the use of mobile devices wherever it makes sense to do so, but to deploy a security capability that will mitigate the risks discussed above. For example, implement a secure email capability on mobile devices used to access corporate email, since this is the primary application for mobile devices. This will enable users to employ corporate email freely, while at the same time securing the content of both email communications and any attachments they might contain.
We also recommend implementing a solution that will allow the secure viewing of sensitive data that might be accessed from SharePoint, CRM systems or any of the many other corporate applications that users need to access from their mobile devices. This data must be accessed from mobile devices, but it must remain secure.
Finally, we recommend deployment of a solution that will enable IT to segment the business and personal content on mobile devices. This is essential in any environment, but particularly in those that allow personally owned mobile devices. Because IT must walk a fine line between protecting corporate data on these devices and not destroying or accessing any personal data that they might contain, a compartmentalization technology that will permit corporate IT to manage the business content on any mobile device is essential.