Let there be light: Why visibility is key to building an effective mobile policy

Consider this: Unrestricted use of Tinder may not pose a problem at a company where the majority of staff is over fifty, but if you work with millennials, you may need to swipe left and reject your current mobile policy. Don’t let your company be the next one to lose precious data and suffer the devastating cost of a data breach simply because you lacked visibility and control over how your investment in mobility is having an impact on the organization.

The mobile device is a distinctive technology that delivers tangible benefits in both personal and business settings. According to IDC’s U.S Mobile Worker Forecast, mobile workers will account for nearly three quarters (72.3 percent) of the total U.S. workforce -- or 105.4 million employees -- by 2020, creating an environment where workers expect to leverage mobile technology at work. As enterprise IT begins to more widely deploy mobile technologies in support of everyday business, mobile devices must increasingly meet corporate standards for security, compliance and acceptable use.

As enterprise mobility evolves and begins to incorporate more contextual data such as location information, IT departments are becoming increasingly aware that they must implement corporate mobile policies to ensure that both the mobile device and the data it exchanges with the Internet are protected. Many admins are so focused on looking within the device for threats such as malware that they lose sight of other threat vectors that are unique to mobility. Preventing data leakage and protecting users from malicious infrastructure are problems that are highlighted when the enterprise has users who roam beyond the protective barrier of the IT perimeter. Mobile security specialists need visibility into all potential mobile threat vectors if they are to implement an effective mobile initiative that increases employee productivity without sacrificing security.

Mobility teams who understand the usage trends of their mobile workforce are able to make more informed decisions as to what type of policies to enforce, helping them approach major events like the Superbowl and March Madness with eyes wide open and enabling them to see threats that may be hiding in the mobile data, as well as usage spikes that could lead to a significant increase in their total cost of ownership for enterprise mobility.

However, it is difficult to balance corporate policy with convenience. Enterprises often struggle to successfully manage their assets without being overly restrictive. In fact, many administrators will make a policy based on a hunch and not fully understand the impact that a particular enforcement action has on the organization.

The secret to implementing more effective policies -- particularly in the complex world of enterprise mobility -- is twofold. First, IT administrators need a comprehensive understanding of how data is being utilized. If they have a sense of how employees are encountering security events, they will know what type of protections are needed. Likewise, if administrators can understand how data is being utilized and what type of compliance violations are being experienced, they’ll be able to ensure the resulting policies are in support of the business.

The second aspect of building effective policies depends on real-time enforcement. Being able to analyze and identify every aspect of a mobile connection -- the device state, the apps in use, the web services being accessed and the infrastructure across which the transaction takes place -- is critical for admin’s policy to be evaluated to the fullest.

Like any effective strategy, mobile policies need to be tailored to the specific needs of the enterprise and focused on managing the issues brought to light by analysis of mobile behavior. Mobility teams need to engage with users and ask them how they would use corporate-owned mobile devices before broadly enacting a mobile policy. Clearly defined acceptable use guidelines will help organizations embrace the benefits of mobility without restricting convenience or putting their sensitive data at risk. The following steps can increase visibility and ensure successfully mobile policy implementation:

1. Educate yourself and your staff: By educating staff on common security threats (phishing, malware, malicious Wi-Fi hotspots, etc.) and how to avoid them, you decrease the likelihood of a data breach. Once staff are up to speed on security best practices, be sure to educate yourself by gaining full visibility into employee mobile behavior. From there, you can take control of data usage and improve security by developing acceptable use guidelines that are effective without being too restrictive.
2. Create company specific policies: These could include: Bring Your Own Device (BYOD) policy, Choose Your Own Device (CYOD) policy, End User policy, Consumerization policy, Corporate Mobility policy and Acceptable Use Policy (AUP). Take into account the unique needs of your organization and factor actual usage into the conversation to ensure that new policies do not break established tools or workflows.
3. Find a balance: A successful mobile policy effectively balances convenience, security and corporate policy. If IT is too cumbersome or inconvenient, employees will find ways to avoid it, exposing the organization to even more risk.
4. Enforce and follow through on set policies: Be sure that your company is enforcing its mobile policies to ensure visibility between IT managers and decision-makers and everyday users.

There will never be a silver bullet to solve the problems associated with enterprise security because the threat landscape continues to evolve, hackers become more evasive and new technologies are being developed at an astounding rate. The most important thing for enterprises to keep in mind is that visibility is essential to mobile data security and management. If you don’t know what sites/apps your employees are using or where your data is being used, how can you expect to maintain security and avoid data loss?

The answer, quite simply, is that you can’t. In order to put your organization in the best position to manage the range of risks facing mobility, first gain full visibility of all corporate liable devices and mobile traffic, then implement a mobile policy that will suit the needs of your organization and employees.

Image Credit: Syda Productions / Shutterstock

Michael Covington leads Wandera’s Product team and is responsible for both defining the product vision and overseeing its delivery to delighted customers. Dr. Covington has over twenty years experience in security research and product development—with roles in academia and industry—including stints at Intel Labs, Cisco Security and Juniper Networks.