The bring-your-own-device trend is happening whether IT departments condone it or not. However, the scope of security vulnerabilities and frequency of data loss is giving CIOs the chills.
In InformationWeek’s 2013 State of Mobile Security survey, 45 percent of respondents reported losing data within the past 12 months and 11 percent were required to publicly disclose the loss. Sixty-eight percent of respondents supported BYOD in some form, and 78 percent still cite lost and stolen devices as their greatest security concern, followed by users forwarding data to cloud-based storage services.
In other words, despite the fact that putting corporate data on personal devices is a done deal, roughly three quarters of responders still fear very common and basic security issues. This is an indication that most BYOD policies and solutions are not addressing these two topics and many others that can lead to the loss of sensitive data.
No number of policies will prevent employees in a large enterprise from jeopardizing data. Rules are too easy to ignore, too hard to enforce and often prevent employees from using mobile devices productively. Therefore, we need to reconsider our approach to BYOD. For the purposes of preventing data loss, a multi-persona BYOD approach has three significant advantages over all other alternatives.
1. One Device, Two Worlds
The idea of issuing work phones is archaic. No one wants to carry a smartphone and a work BlackBerry (News - Alert). From a security standpoint, it’s like carrying a wallet for small bills and a padlocked box for 100 dollar bills.
By comparison, if you use an email client like Outlook, you know how easy it is to switch between a personal and professional inbox with one click. In fact, you probably don’t want to look at one integrated inbox because the flood of social notifications and promotional emails may derail you from focusing on your work. In that case, the separation of personal and professional emails works because switching takes one tap.
A multi-persona BYOD approach involves dividing a phone into personal and professional personas at the operating system level. Switching between personas is as easy as switching between inboxes, and the separation offers the security guarantee of having one wallet for small bills and one padlocked box for larger ones.
2. No Policies to Remember
Remembering to separate personal and professional life on email is easy because it’s in our own self-interest. However, asking employees to remember a list of policies, rules and procedures for mobile device use is unrealistic. This is why IT fears employees loading data into cloud storage. Without highly invasive mobile device management (MDM) software – which requires a lot of management on IT’s end – IT can’t prevent employees from using cloud apps. Moreover, using MDM systems, IT can only ‘blacklist’ apps they know about. That’s a battle IT can never win.
Security has to flow with the way people normally work. For instance, when someone is rushing to send a presentation to a co-worker or an RFP to a prospect, he or she will open the phone, find the data and fire an email however it can be done most efficiently. If the only place an employee can access data is from their secured, professional persona, IT can eliminate the risk of people using unsecured personal email or a rogue Dropbox (News - Alert) they set up just for this purpose. Being insecure becomes inefficient when you’re working with multiple personas.
3. Layers of Security
Some BYOD approaches try to divide personal and professional data at the app level – a strategy called containerization – but the multi-persona approach integrates into the operating system to provide a layer of security that can shield sensitive data from malware and other threats. If your prime concern is security, stopping at the app level is insufficient.
If you’re using a single phone for work and play, all your kid needs to do is install infected games or visit the wrong website, and your phone can get infected with malware.
If your BYOD solution stops at the app level, the malware is on the same operating system as corporate applications and data, and therefore it has a chance at infecting, or compromising, corporate apps. In contrast, malware on a personal persona that is separate from the professional persona on the OS level can’t cross over, in the same way cash couldn’t magically hop between your wallet and lockbox.
We cannot continue to show surprise at BYOD failures while we rely on unenforceable policies. And we cannot be surprised at employee backlash when we try to use policies to strong arm security compliance. Security can’t ruin the convenience of the mobile device or disrupt the typical user flow—otherwise people work around the security measures. In terms of taming BYOD security, the multi-persona matches the way people actually work. We can’t ask for much more from security technologies.
Edited by Stefania Viscusi
Back to Mobile Secure