What’s not to like about a good bring-your-own-device (BYOD) policy? For most companies, BYOD is a great deal. Employees buy and maintain the devices, and the company gets the benefit of their off-hours availability and productivity while traveling. Nearly three-quarters of organizations with enterprise mobility initiatives have adopted a plan to establish a BYOD policy.

But BYOD can be a sinkhole from a security standpoint if users are unaware of the risks associated with carrying valuable business data around with them. Consumer Reports estimated that 5.2 million smartphones were lost or stolen in the U.S. in 2014, the most recent year from which data is available. Nearly 200,000 phones were left in taxis that year in London alone.

Mobile Device Management and Data Loss Protection

Many companies that adopt BYOD policies also install mobile device management (MDM) software. These enterprise mobility solutions provide great value, but they have their limits. Most work at the hardware, operating system and application levels. They’re great for remote software installation, configuration management, security and asset management, and they can be used to track the location of a device or wipe it clean in the event of loss or theft.

You can also apply certain MDM features to minimize the risk of data loss. For example, most providers will let you set up a password-protected secure area in which to store business files. Any data that comes into this sandbox is tagged and cannot be forwarded or downloaded. This area can also be remotely wiped clean in the event of loss or theft without disturbing personal data.

MDM solutions aren’t designed to manage data, however. That demands a different set of tools and procedures under the umbrella of endpoint data loss protection (DLP). While MDM manages the device, DLP works at the data level. It provides rigorous controls over who can access what data and what they can do with the data they have. DLP can specify, for example, that files in a certain directory with a particular name suffix or files that are password protected cannot be downloaded to local storage or sent across the network.

A Culture of Protection

But enterprise mobility technology alone doesn’t solve the problem. You also need procedures, policies and a culture that recognizes the importance of data protection.

If you have a BYOD program, you need a written policy that specifies what information can and can’t be downloaded to personal devices and the penalties for running afoul of the rules. Any employee who uses a personal mobile device for work should read and sign the policy. It’s not a bad idea to require some training, too. You can find a variety of actual policies and templates online.

DLP is useless without a classification scheme. In the same way that the federal government assigns security levels to information, such as confidential, secret and top secret, your company data should be classified based on its sensitivity. You can then apply a DLP solution to restrict access to specific people, departments and functions. The best protection against compromise is not enabling data to be downloaded in the first place.

Endpoint Management

If you’re considering MDM, you might want to broaden the possibility to include endpoint management. This increasingly popular toolset gathers rich information about each client, including hardware and operating systems configuration data and the status of installed applications. It can apply patches and fixes remotely and perform most other functions of a full-blown MDM solution.

Many endpoint managers now support intelligent agents on the endpoint, enabling security organizations to get a fine-grained view of how devices are being used. These agents can be configured to take actions, such as blocking downloads of information in .doc or .xls formats, automatically. They can prohibit the use of email attachments and alert IT of large file uploads and downloads. When choosing an endpoint solution, be sure to ask about support for these features.

Enterprise Mobility in the Cloud

Unfortunately, there is still no comprehensive solution to monitor or control what data employees store on mobile devices. The best approach is to combine education with selective access and remediation through capabilities such as remote wipe.

But you might also want to opt for a simpler solution, such as putting everything in the cloud. Cloud-based file-sharing services give IT complete control and can be configured to prohibit local file storage. Users can access and manipulate files just as if they were on a local drive, but everything is stored on the cloud server. Given the speed and coverage of today’s mobile networks, it’s hard to imagine why anyone would need to store data locally at all.

More from Data Protection

Will the 2.5M Records Breach Impact Student Loan Relief?

Over 2.5 million student loan accounts were breached in the summer of 2022, according to a recent Maine Attorney General data breach notification. The target of the breach was Nelnet Servicing, a servicing system and web portal provider for the Oklahoma Student Loan Authority (OSLA) and EdFinancial. An investigation determined that intruders accessed student loan account registration information between June and July 2022. The stolen data includes names, addresses, emails, phone numbers and social security numbers for 2,501,324 student loan…

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Resilient Companies Have a Disaster Recovery Plan

Historically, disaster recovery (DR) planning focused on protection against unlikely events such as fires, floods and natural disasters. Some companies mistakenly view DR as an insurance policy for which the likelihood of a claim is low. With the current financial and economic pressures, cutting or underfunding DR planning is a tempting prospect for many organizations. That impulse could be costly. Unfortunately, many companies have adopted newer technology delivery models without DR in mind, such as Cloud Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS)…