Byron Thom - General counsel, Optigo Networks
A flexible technology policy can be enticing for both employees and companies. It may improve productivity at the office or empower employees as they wait to pick up their kids after school.
But such an approach is not without risks. An unlocked cellphone left in a taxi should worry the C-suite just as much as a disgruntled employee or a hacker holed up in his or her parents’ basement. Further, as more corporate information enters the public cloud, companies need to somehow determine whether the service providers they contract with have the appropriate security protections and policies in place.
So rather than focusing specifically on mobile devices, a more holistic approach to cybersecurity should be taken. It starts with creating a risk profile and undertaking a threat assessment to identify the company’s crown jewels – information the company wants to protect and confidential information it needs to protect. This is contextual; companies should worry not only about their own sensitive corporate information, but also about contractual information and regulated data that can leave a company exposed to increasing civil and regulatory liability.
Only once a good survey of the risk landscape has been undertaken should a mobile policy be contemplated, with the proper policies to limit the exposure of confidential and regulated data. An overarching strategy must carefully balance the perceived benefits of increased productivity, employee satisfaction and even just the realities of doing modern business with the real risks of a cyberbreach and the costly ramifications that can follow.
David Snell - CEO and chairman, FusionPipe
There is no doubt that security of enterprise mobile data is top of every executive’s mind today. There is a lot at stake when data security is compromised, as we have seen from a number of notorious hacking incidents that have happened over the past year or so. High-profile data breaches at companies such as Sony and Target and various government institutions have caused worldwide concern and raised the bar of what is considered adequate data security protection.
With more and more staff bringing personal devices such as smartphones and tablets into the work environment, and with devices moving inside and outside of the organizations’ firewalls constantly, current methods of securing sensitive data on mobile are put to the test. Protecting corporate data starts at the end points, and includes software and management of personal versus enterprise data. This means that authentication, mobile device management, software distribution and strict security-level policies must be put in place, monitored and managed.
However, enterprises should not lose sight of what is also very important: the end-user experience. While security implementations are a given, user convenience along with security ensures that staff are able to improve or at least maintain the same level of productivity. Finding a balance between security and convenience is imperative to make enterprise security strategies work, now and in the future. No matter what IT says, if policies or solutions are not followed by staff because of the inconvenience they force on the end-user, security cannot be maintained no matter how good the systems put in place are.
Eric Aarrestad - Senior vice-president of product management, Absolute Software
First you must identify what you’re trying to protect. Engage with leadership and legal teams to determine the information your business considers most sensitive and vulnerable to attack. Then ensure your mobile security policy addresses how and by whom this data is accessed. Not everyone needs access to everything. Prioritizing access to sensitive data can immediately remove a large percentage of security risk.
Schedule regular assessments of your security policy to ensure defined processes and best practices are being properly followed. Negligent employees can be the weakest link in your security infrastructure, so it’s important to engage staff through training and testing so that they understand the potential damage caused by their behaviour.
Maintain oversight of and connectivity to devices that contain sensitive data. Use this connection to monitor device behaviour and invoke remote security commands as soon as you detect suspicious activity.
Remember that you must strike a balance between security and productivity. By maintaining a two-way connection with each device, you can determine the details of an event and respond appropriately. Provide IT with a range of options including non-invasive techniques such as user messaging and device freeze through to permanently disabling a device and deleting all of the data it contains.
Finally, use your network. Share best practices with your peers, learn from each other’s mistakes and develop your security policy based on these lessons.