More than a decade after the BlackBerry introduced smartphones to the workplace and three years after the iPad put tablets on the mobile business map, companies still fall short when it comes to “bring your own device” — or BYOD — management.
Barely half are using mobile device management solutions to control their device pool, despite benefits like centralized configuration, policy enforcement and app distribution. Six out of 10 still don’t have a BYOD policy in place. Eight of 10 say they haven’t even tried to educate employees on best practices or risks.
But the problem goes much deeper. Even for organizations that have imposed some BYOD controls, the emphasis has been almost exclusively on managing the devices rather than the data they contain. According to recent surveys, 70 percent of organizations cannot remotely wipe data for more than a handful of mobile devices in use, 76 percent do not encrypt mobile business data, 87 percent do not backup data on smartphones or tablets, and nearly 40 percent don’t backup laptops either.
The upshot: both data protection and governance go out the window.
Without encryption and remote data deletion capabilities, regulated information such as patient data, customer lists, bids, business presentations, product designs, company financials and a whole litany of other sensitive information either stored on mobile devices or sent as email attachments is readily available to data thieves as well as departing employees who can share it with their next employer.
Without backup, there is no way to easily restore data on an employee’s misplaced, purloined or damaged device, or to recover lost information residing exclusively on mobile platforms. According to Gartner, nearly 30 percent of corporate data is stored only on laptops, tablets and smartphones, so the risk of data loss is high. Bereft of a master backup record of all mobile as well as stationary business data, organizations lack critical tools for enforcing corporate policies, generating reports for compliance audits, and reconstructing the history of a given document or other file for leak investigations or litigation requests.
Also missing is IT-managed file sharing that can eliminate the heavy use of consumer file sharing services like Dropbox and YouSendIt by mobile users needing anytime/anywhere document access. Use of those public cloud services increases potential document exposure, throttles internal data visibility, and puts those files beyond IT control.
The irony is that IT departments have spent years building a robust infrastructure for server backup but are dragging their feet in protecting corporate data on mobile devices that are small enough to be easily forgotten or pickpocketed – and that regularly are. According to a McAfee/Carnegie Mellon University survey, mobile devices containing business-critical information have gone missing at four organizations out of every 10. Meanwhile the BBC has reports losses or thefts of 399 laptops, 347 smartphones and 39 tablets in the past three years – including 350 devices in 2012 alone.
Clearly, this leaves a gaping hole in information security that must be plugged. Protecting BYOD devices without protecting the data housed on them is a dangerous practice that will inevitably lead to data leakage, business damage and compliance penalties, not to mention hours of lost productivity for employees who lose their devices and the IT teams charged with getting them back to work.
The need to close the BYOD data management gap is becoming increasingly urgent as mobile devices multiply in the enterprise.
More content is being created, modified and stored on mobile platforms and particularly tablets, which are being rolled out with custom business apps in organizations ranging from airport transportation service SuperShuttle (1,500) to UK-based banking giant Barclays (8,500) and Tokyo’s Meiji Yasuda Life Insurance (30,000). By 2015, tablet shipments will outpace PC shipments. And the emerging ‘phablet’ form factor – larger smartphones with screens of 5” or larger – is expected to add to the mobile stampede.
The volume of unmanaged data is therefore expanding every day. The problem is exacerbated by the fact that the average knowledge worker now has 2.8 connected devices. Many house multiple copies of the same file in document libraries and/or email attachments, increasing the opportunity for leakage if the data remains unprotected. The more data sits outside the firewall, the greater the risk. Hence the risk keeps rising.
This sea change in computing habits requires a comparable change in data management strategies to ensure information security, governance and compliance. The fringe benefit is that these changes can deliver increased productivity for end users as well.
The cornerstone of data management for the mobile business world should be a comprehensive backup program covering every endpoint in the organization, including PCs as well as laptops, tablets and smartphones. This will create a single authoritative source and audit trail of all endpoint data at rest.
With this complete data repository, any file can be easily recovered in the event of device loss, theft or damage. Entire document libraries can be quickly restored on replacement devices. Remote wipe tools can be used to delete data from a missing device without the risk of losing the only copy of critical information. Data required for governance, compliance, forensic and e-discovery can be supplied without needle-in-a-haystack searches through disparate hardware devices used by hundreds or thousands of employees.
Having a master data record also enables mobile users to access their files remotely from whatever device they are using at the moment, eliminating the need to move files from one device to another or into a consumer file sharing service.
Next, Dropbox-type services should be replaced with secure, centralized, IT-managed file sharing. With the right product, all internal and external file exchanges can be consolidated into a single activity stream that provides the same visibility, traceability, auditing and reporting abilities for data in motion as the backup function supplies for data at rest.
This approach also enables policy management to control access to shared data with techniques such as establishing sharing privileges and placing view-only restrictions on sensitive shared files in order to prevent downloads and associated leakage risks. Admins can block user access to consumer file sharing services by blacklisting them on employee devices using the app management feature on most MDM products.
Other components of a mobile data management program should include the ability to encrypt data, perform remote data wipes for lost or stolen devices, selectively delete data on user-owned devices to prevent departing employees from taking corporate data with them, and trace all administrator and end user activities for accountability.
Bottom line: mobile device management is not enough. Used alone, MDM solutions do not protect corporate data at the edge. Given the explosion in data that falls into that category – and the vulnerability of that data to loss and theft because of the small form factor of today’s mobile platforms – it’s time to tighten today’s lax oversight of mobile information assets. In fact, it’s past time.
Because no organization can have a credible risk management strategy without including mobile data in the mix.
Image via TVacres.com.