NEWS FEATURE: Debate rages over how to manage personal mobile devices used for work

Many business still don't have a policy on how the devices can access applications

Increasingly, businesses accept the idea that employees should be able to use their personal mobile devices, such as smartphones and tablets, for work. But debate is raging as to whether these employee-owned devices should be managed and secured exactly as corporate-owned devices might be.

A survey of 988 information technology managers published this week by vendor Courion shows 69 per cent of the organisations they work for let employees use personally owned mobile devices to connect to the corporate network, though a quarter of the total say they either don't have a policy on how these personal mobile devices can access applications or are unaware there is one.

ROUNDUP: The 5 biggest IT security mistakes

"The notion of employee-liable devices is not something that can be ignored," says Andrew Borg, analyst at Aberdeen Group, adding, "Without a doubt, employee-owned devices must be compliant with policy." That might include at a minimum the ability to do wipe and lock of an employee's personally owned device.

In regulated industries, stronger controls might be expected, such as on-device encryption and a mobile VPN. To address the notion of mixing personal and corporate data, there are commercially available products, including those from Good Technology, that can create separation of personal and corporate use at the operating system level for smartphones and tablets. Other possibilities include VMware's virtual-mobile desktop, Borg points out.

Aberdeen Group's own recent research published in March about employee-owned mobile devices being used for work showed that in a survey of 500 enterprises , 72% "permit use of employee-owned mobile devices for business purposes." That's up substantially from the 40% that allowed it just two years ago. In the March 2011 survey, 45% said "yes" to any type of device from the employee end, and 27% said the devices had to be compliant with policy.

When it comes to letting employees buy whatever mobile device they want to use at work, "there are wise ways to do this and unwise ways," Borg says. Some companies allow it simply because they believe they are pushing the costs of the device onto the employees without the IT department managing and securing them. But this view is "short-sighted," says Borg. The strategic view is to push to achieve compliance of personal mobile devices with corporate security and management policies.

Some organizations might agree.

"Our policy is we want our users to use personal devices for work if they want," says Endre Wells, chief technology officer at Philadelphia-based Resources for Human Development, a nonprofit organization with about 4,800 employees in 14 states that provides social and welfare services. But the organization only allows personal devices such as iPhones and Androids for work if the employee agrees to use certain mobile-device management software, in this case, MaaS360 from Fiberlink, deployed there since May.

The MaaS360 agent software, controlled through Fiberlink's cloud-based service, gives the IT division at Resources for Human Development a way to ensure password policy is adhered to, and also provides a way to wipe the devices if lost or stolen. "We've used this twice already," says Wells.

The same Fiberlink software is required on the corporate BlackBerries that the organization still issues to those not using their own personal devices. In the past, the organization paid for about 300 BlackBerries but that number is dropping since employees often elect to use their own personal mobile device.

But not all analysts view the issues raised by employee-owned mobile devices quite the same way.

Gartner analyst Ken Dulaney, speaking at the recent Gartner IT Security Summit, acknowledged mobile-device technology these days does defy some traditional notions of best practices as employees, smitten with the latest iPhones, Androids and other devices they never put down, want to use them as their primary work tool. "This is the fashion business, not the PC business. Don't be a dictator or people will overthrow you. IT has lost control of this area -- it's a coping area," Dulaney said.

A new generation of "digital natives" is entering the workforce, and for them, the old-fashioned desk phone is simply "an expensive router to the cellphone," said Dulaney. When it comes to the mobile smartphones and tablets they may prefer to use, he suggested that if employees own them, these devices could in some instances be treated differently than if they are corporate-issue.

Employee-owned devices wouldn't be able to do as much on the network as corporate-owned devices, perhaps only email. There also should be a "policy document" to hold "individuals liable," said Dulaney. "They must report loss of the device and grant IT the right to wipe the content for any reason." He said that means the employee needs to back up "their personal stuff."

In addition, "they're still required to have a PC or notebook," for the reason that it's needed to read things like spreadsheets that don't convert well into mobile devices today.

If the employee elects to use a corporate-issued mobile device, however, the IT department would take full responsibility in buying it and fixing it, Dulaney said. Third, the reality of corporate life is that C-level executives and influential sales people tend to get what they want, no matter what. So the IT department may need to formalize a "VIP"-type service to allow restricted network access to certain groups in a consistent way that would meet with an auditor's approval.

But in the final analysis, organizations that need more high-level security will need to turn to mobility management software from vendors that include BoxTone, MobileIron and AirWatch, he added.

Yet another analyst, Craig Mathias of Farpoint Group based in Ashland, Mass., recommends a simpler approach. "You don't want tons of different policies. That's a recipe for disaster."

"Don't be foolish here," Mathias advises. If employees are allowed to bring in their personal mobile devices and use them on the corporate network, there should be mobile-device management software on it and the IT department should insist it is they who have control over the device.

"I run across companies all the time that don't have policies," Mathias points out. They think they don't need to put management and security agent software on the employee's device since the company doesn't even own it, but that's missing the big picture, he says. "It's the information that's of strategic value. You own the information on it."

Note: this is vendor sponsored research.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags consumer electronicsNetworkingsecuritywirelesssmartphonesiPhoneAndroidAberdeen Group

More about Aberdeen GroupAndrew Corporation (Australia)AshlandCourionFarpoint GroupGartnerGood TechnologyIT SecurityLANTechnologyVMware Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place