March 13, 2017 By Paul Gillin 3 min read

What’s not to like about a good bring-your-own-device (BYOD) policy? For most companies, BYOD is a great deal. Employees buy and maintain the devices, and the company gets the benefit of their off-hours availability and productivity while traveling. Nearly three-quarters of organizations with enterprise mobility initiatives have adopted a plan to establish a BYOD policy.

But BYOD can be a sinkhole from a security standpoint if users are unaware of the risks associated with carrying valuable business data around with them. Consumer Reports estimated that 5.2 million smartphones were lost or stolen in the U.S. in 2014, the most recent year from which data is available. Nearly 200,000 phones were left in taxis that year in London alone.

Mobile Device Management and Data Loss Protection

Many companies that adopt BYOD policies also install mobile device management (MDM) software. These enterprise mobility solutions provide great value, but they have their limits. Most work at the hardware, operating system and application levels. They’re great for remote software installation, configuration management, security and asset management, and they can be used to track the location of a device or wipe it clean in the event of loss or theft.

You can also apply certain MDM features to minimize the risk of data loss. For example, most providers will let you set up a password-protected secure area in which to store business files. Any data that comes into this sandbox is tagged and cannot be forwarded or downloaded. This area can also be remotely wiped clean in the event of loss or theft without disturbing personal data.

MDM solutions aren’t designed to manage data, however. That demands a different set of tools and procedures under the umbrella of endpoint data loss protection (DLP). While MDM manages the device, DLP works at the data level. It provides rigorous controls over who can access what data and what they can do with the data they have. DLP can specify, for example, that files in a certain directory with a particular name suffix or files that are password protected cannot be downloaded to local storage or sent across the network.

A Culture of Protection

But enterprise mobility technology alone doesn’t solve the problem. You also need procedures, policies and a culture that recognizes the importance of data protection.

If you have a BYOD program, you need a written policy that specifies what information can and can’t be downloaded to personal devices and the penalties for running afoul of the rules. Any employee who uses a personal mobile device for work should read and sign the policy. It’s not a bad idea to require some training, too. You can find a variety of actual policies and templates online.

DLP is useless without a classification scheme. In the same way that the federal government assigns security levels to information, such as confidential, secret and top secret, your company data should be classified based on its sensitivity. You can then apply a DLP solution to restrict access to specific people, departments and functions. The best protection against compromise is not enabling data to be downloaded in the first place.

Endpoint Management

If you’re considering MDM, you might want to broaden the possibility to include endpoint management. This increasingly popular toolset gathers rich information about each client, including hardware and operating systems configuration data and the status of installed applications. It can apply patches and fixes remotely and perform most other functions of a full-blown MDM solution.

Many endpoint managers now support intelligent agents on the endpoint, enabling security organizations to get a fine-grained view of how devices are being used. These agents can be configured to take actions, such as blocking downloads of information in .doc or .xls formats, automatically. They can prohibit the use of email attachments and alert IT of large file uploads and downloads. When choosing an endpoint solution, be sure to ask about support for these features.

Enterprise Mobility in the Cloud

Unfortunately, there is still no comprehensive solution to monitor or control what data employees store on mobile devices. The best approach is to combine education with selective access and remediation through capabilities such as remote wipe.

But you might also want to opt for a simpler solution, such as putting everything in the cloud. Cloud-based file-sharing services give IT complete control and can be configured to prohibit local file storage. Users can access and manipulate files just as if they were on a local drive, but everything is stored on the cloud server. Given the speed and coverage of today’s mobile networks, it’s hard to imagine why anyone would need to store data locally at all.

More from Data Protection

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today