Smart Policies for Smartphones: Accessing official data on personal devices

Data is often compared to water: people talk about data purity, data flow, and of course, data leaks.

One of the ways that companies try to avoid data leaks is through keeping tight control over the pipelines through which data moves, but when most (or all) of an organization's employees carry smartphones through which they access data, it's like having a spigot in every pocket.  Organizations then face a choice: limit the functionality of devices by restricting their access to data, install technological filters on the devices to minimize the chance of a leak, or trust their employees to safeguard their devices and the data that they either hold or can access, or some combination of the latter two.

What is at stake

When employees bring their own devices and use their own networks for an organization that doesn't have a BYOD policy, leadership has to decide how much of their organization's data they will allow to flow to those personal machines.  The questions that drive that decision should revolve around three axes: What is the likelihood of a data breach? What is the damage that such a breach might cause? What is the advantage gained by employees having access to data through their personal networks and devices?  In short, a standard risk/reward analysis.

The benefits are vast, especially for an organization that requires decision-making at multiple levels and that needs to respond to events in a dynamic environment.  A mobile workforce is more effective and efficient when everyone has access to the same data.  Further, when people can access that data through multiple networks, an organization can benefit from a redundancy that they do not have to maintain themselves.  Even when an organization's network is operational, having people connect to data through their own networks helps prevent bandwidth issues.

But the risks are no less significant.  Losing personally identifiable information, as just one example, could put an organization's entire workforce, customer list, or client base at risk for identity theft.  That alone should give leadership, and indeed everyone, pause to grant whole-sale access to any employee with a Web-enabled device.

How are organizations to choose between the three choices open to them, briefly described as giving employees (1) no access to data, (2) access through technological filters, and/or (3) access through policy filters.  Let's look at the benefits and drawbacks of each option.

Blocking access to mobile devices

This is a radical decision, but it has one undeniable advantage: it nearly assures that an organization will not suffer a data breach because of employees' lax mobile security.  Two surveys conducted in late 2011 found that more than half of all smartphone users do not use password protection.  One survey revealed that 44 percent who do not lock their mobile devices said that using a password is “too cumbersome," while 30 percent said they “are not worried about the risk”.  The other survey found that nearly one of every five people use the same passwords across devices and accounts.  Faced with those facts, an organization's leadership may decide that it is not worth the potential damage to grant access to their data through mobile devices.

Using technological filters

If an organization does have an overriding interest in its employees accessing data remotely--either routinely or in the case of emergencies--they can use technical means to protect their data.  For example, IBM uses Lotus Traveler, an extension of its Lotus software that has stringent password requirements, not only for the application, but for the device on which it resides.  Other organizations use applications that either encrypt the data they use and then require a password to open the application, or they simply do not store any data on the device, but rather act as a pass-through for users.

The benefit of this approach is that it forces users to adhere to a security policy that can be set by leadership.  But there are costs involved in developing software, or in purchasing it, and maintaining and updating security is not cost-free.  For smaller organizations, this may not be an option.  And even for companies that use technological filters, policy filters should act as secondary safety nets.

Using policy filters

A more cost-conscious approach, and one that compliments technical filters, is drafting a use-policy for mobile devices that takes advantage of their built-in security features and adds to those the best practices recommended by data security professionals.  Examples include enabling "remote wipe" capabilities, so users can remove all data from lost devices; using strong passwords and changing them regularly; and installing and updating anti-spyware applications.  Most importantly, however, is simply educating employees about the risks of unsecured devices and the damage that a data loss could cause to their organization.

Connecting personal technology to official networks and devices

One area that any comprehensive use-policy must address is whether and how people can connect their personal devices to an organization's networks and devices.  I'll discuss this at greater length in my next post.