The great debate: Corporate vs. personal liability for smartphones and tablet devices in the workplace



Similar documents
10 best practice suggestions for common smartphone threats

BYOD Strategies: Chapter I

A Guide to Consumerization & Building a BYOD Policy June 2012

Symantec Mobile Management 7.1

Enabling Seamless & Secure Mobility in BYOD, Corporate-Owned and Hybrid Environments

IT Best Practices: Mobile Policies and Processes for Employeeowned

Symantec Mobile Management for Configuration Manager 7.2

Symantec Mobile Management 7.1

Symantec Mobile Management 7.2

Symantec Mobile Management 7.2

My CEO wants an ipad now what? Mobile Security for the Enterprise

BEST PRACTICES IN BYOD

Bring Your Own Device and Expense Management

Athena Mobile Device Management from Symantec

BLACKBERRY COBO: ULTIMATE MOBILE SECURITY AND CONTROL

ENTERPRISE MOBILITY USE CASES AND SOLUTIONS

Embracing BYOD. Without Compromising Security or Compliance. Sheldon Hebert SVP Enterprise Accounts, Fixmo.

2011 Forrester Research, Inc. Reproduction Prohibited

BYOD THE SMALL BUSINESS GUIDE TO BRING YOUR OWN DEVICE

DECISION MAKER S GUIDE: DEVELOPING A BRING YOUR OWN DEVICE STRATEGY

Bring Your Own Device. Individual Liable User Policy Considerations

11 Best Practices for Mobile Device Management (MDM)

Codeproof Mobile Security & SaaS MDM Platform

S E C U R I T Y A S S E S S M E N T : B o m g a r A p p l i a n c e s

Android for Work powered by SOTI

How To Support Bring Your Own Device (Byod)

Protecting Content and Securing the Organization Through Smarter Endpoint Choices

RUNNING HEAD: BRING YOUR OWN DEVICE 1

Emerging threats for the healthcare industry: The BYOD. By Luca Sambucci

BYOD. and Mobile Device Security. Shirley Erp, CISSP CISA November 28, 2012

Securing Corporate on Personal Mobile Devices

GOVERNMENT USE OF MOBILE TECHNOLOGY

Mobile Devices in Healthcare: Managing Risk. June 2012

Samsung Mobile Security

Corporate Mobile Policy Template

WHITE PAPER SPON. The Need for IT to Get in Front of the BYOD Problem. Published October 2012 SPONSORED BY. An Osterman Research White Paper

The Impact of HIPAA and HITECH

Connect With My Team. in real time RELIABLEFAST FAST M SPEED TEAMCONNECT SURF. Know How Guide to Mobile Device Management PEACE OF MIND SPEED NEW

Keep Calm and Bring Your Own DEVICE. White paper

Building an Effective Mobile Device Management Strategy for a User-centric Mobile Enterprise

Mobile Security: Controlling Growing Threats with Mobile Device Management

A Mobile Architecture, Not Just a Mobile App

BRING YOUR OWN DEVICE

BYOD PARTNER QUESTIONS YOU SHOULD ASK BEFORE CHOOSING A. businessresources.t-mobile.com/resources. A Buyer s Guide for Today s IT Decision Maker

Offer Specifications Dell Management Services (EMS): mobilencrypt

Bring Your Own Device & the Consumerisation of IT: 2 Case Studies

How To Protect Your Mobile Devices From Security Threats

A number of factors contribute to the diminished regard for security:

A Real View of Mobile Expenses

Bring Your Own Device Mobile Security

How To Manage A Corporate Device Ownership (Byod) On A Corporate Network (For Employees) On An Iphone Or Ipad Or Ipa (For Non-Usenet) On Your Personal Device

IBM Endpoint Manager for Mobile Devices

Acronis BRING YOUR OWN DEVICE

BRING YOUR OWN DEVICE

ONE Mail Direct for Mobile Devices

How To Secure Your Mobile Devices

10 BEST PRACTICES FOR MOBILE DEVICE MANAGEMENT (MDM)

Tuesday, June 5, 12. Mobile Device Usage

Insert Partner logo here. Financial Mobility Balancing Security and Success

Data Protection Act Bring your own device (BYOD)

White Paper. Three Steps To Mitigate Mobile Security Risks

Risk and threats everywhere, all the time

A BUSINESS CASE FOR ENTERPRISE MOBILITY MANAGEMENT

STRONGER AUTHENTICATION for CA SiteMinder

Securing mobile devices in the business environment

BYOD & the Implications for IT:

Commissioned Study. SURVEY: Mobile Threats are Real and Costly

Mobile Security: Top Five Security Threats for the Mobile Enterprise and How to Address Them

Hands on, field experiences with BYOD. BYOD Seminar

BYOD BEST PRACTICES GUIDE

Managing Mobile Devices in a Device-Agnostic World Finding and Enforcing a Policy That Makes Business Sense

2009 HIMSS Analytics Report: Evaluating HITECH s Impact on Healthcare Privacy and Security

Data Loss Prevention Whitepaper. When Mobile Device Management Isn t Enough. Your Device Here. Good supports hundreds of devices.

Security Practices for Online Collaboration and Social Media

BYOD: From company-issued to employee-owned devices

Use Bring-Your-Own-Device Programs Securely

Consumerization Survey Report The Consumerization of IT

Mobile Device Management

The Bring Your Own Device Era:

Mobile Device Management Underpins A Bring-Your-Own- Device (BYOD) Strategy

Kony Mobile Application Management (MAM)

The flexible workplace: Unlocking value in the bring your own device era

The ForeScout Difference

SECURING TODAY S MOBILE WORKFORCE

ForeScout MDM Enterprise

Network Security Report:

Enterprise Mobility. Bring Your Own Device (BYOD) Policy Guidebook Questions to Ask and Best Practices to Consider

White Paper: Collaborative Working 2013

Securing BYOD With Network Access Control, a Case Study

Practical Legal Aspects of BYOD

The Cost of Insecure Mobile Devices in the Workplace Sponsored by AT&T

Simplifying Mobility Management. WhitePaper VERAMARK 2013 TEM SERIES, #3

White Paper: The Current State of BYOD

Successful ediscovery in a Bring Your Own Device Environment

A Guide to MAM and Planning for BYOD Security in the Enterprise

Guideline on Safe BYOD Management

Mobile Data Leakage Prevention

The new edge of the network: Preparing your network for the consumerization of IT. Geoff Mattie Global Solutions Architect Dell Inc.

The New Workplace: Supporting Bring your own

Securing Office 365 with MobileIron

Transcription:

The great debate: Corporate vs. personal liability for smartphones and tablet devices in the workplace Jeff R Fawcett Dell SecureWorks Security Practice Executive M Brandon Swain Dell SecureWorks Security Practice Executive

In a recent study sponsored by Dell, 75 percent of companies surveyed had, or were considering, personallyowned devices in their environment. Executive summary Why can t I use my ipad or Android Smartphone at the office? How can we control the costs associated with mobile devices and the related voice and data plans? Do these questions sound familiar? Is your organization considering allowing personally-owned smartphones and tablets to access corporate applications and data? In a recent study sponsored by Dell, 75 percent of companies surveyed had, or were considering, personally-owned devices in their environment. The explosive growth in personal smartphones and tablets has created a strong demand to use personal devices at work. IT management must consider the needs and goals of the business, and carefully weigh the costs and benefits of allowing personally-owned devices as part of an overall mobility strategy. With the consumerization of the mobile device market, the historical approach of providing employees with locked down devices with a two-year refresh cycle may not be the best solution for organizations and their employees. Many organizations are debating the costs and benefits of allowing employees to use personallyowned devices for business needs. While reduced costs and increased employee morale are popular arguments, organizations must consider hidden costs and corporate governance issues. These concerns must be balanced with opportunities for enhanced productivity and improved employee morale when employees select a mobile device of their own preference. Introduction The desktop Internet ramp was just a warm-up act for what we are seeing happen on the mobile Internet. The pace of mobile innovation is unprecedented, I think, in world history. Consumer companies are taking the lead over enterprise companies. It is more important than ever to listen to employees about where to take your IT department. Mary Meeker, Morgan Stanley April 2010 Since the introduction of the iphone in 2007 and subsequently, the ipad and Android-based phones and tablets, the cost for mobile devices has decreased, and most are now purchased by individuals for personal use. The computing power available in these devices has also increased, rivaling the capabilities of traditional PCs from only a few years ago. Most mobile devices now support email, multimedia messaging, Internet browsing, and data storage. They have become true computing devices, although still used primarily for content storage and consumption. With app stores in abundance, a variety of consumer- and enterprisefocused applications are available for download. These applications receive very little review for malicious content exposing sensitive corporate information to be copied and stored on servers outside of the organization s control. Enterprise mobility costs are increasing due to the rapid expansion in the number of devices and the resulting voice and data plans. This increase in cost, along with the consumerization of smart mobile devices, is leading organizations to consider a move from the traditional corporate-liable to a personal-liable approach to mobility. We will review the benefits and costs of both strategies and will conclude with some additional topics for consideration as your organization develops its overall enterprise mobility strategy. Corporate-liable approach to mobility devices The traditional, corporate-liable strategy has many advantages, including governance and control of the devices, as well as the potential for an overall reduction in cost to employees and the organization for mobility-related expenses. However, a well-designed corporate-liable program does not preclude access to a variety of mobile platforms that can meet the needs and preferences of employees. 2

Benefits of a corporate-liable approach The ability to maintain governance and control over corporate information is one of the most compelling cases for corporate ownership of mobile devices. This ensures that the organization can deploy and enforce key security policies on devices to meet compliance with regulatory or corporate governance requirements. The restriction of access to corporate data and applications through corporate-owned devices will prompt employees to report the loss or theft of a device for timely deletion of all data. The organization can also restrict content on the devices, including third-party applications, to reduce exposure to applications or content that is malicious or contrary to the organization s policies. Finally, by establishing a corporate mobile device catalog, the organization retains control over the device types and operating system versions in use to manage vulnerabilities intrinsic in some mobile platforms. This allows the organization to enforce the deployment of critical operating system and application updates to correct newly-identified vulnerabilities. While cost-reduction is frequently cited as one reason to move to a personal-liability model for mobility, there may be other opportunities to reduce mobility costs. Bulk device purchases, aggressive negotiation with carriers, and mobile expense management solutions can save money. Support and application development costs may be cut by implementing a standardized catalog of devices for employees to choose. Costs of a corporate-liable approach This corporate control comes, literally, at a cost as the organization bears the expenses for devices as well as voice and data plans. The corporation also assumes the asset management costs for mobility devices, including procurement, support, and disposal. Finally, there is the voice and data cost associated with employees personal use of employer-provided mobile devices. In addition to the expense associated with corporate-liable devices, employee morale may suffer when employees are required to use organization-provided devices. Their dissatisfaction may result from using devices that are older or lack the functionality needed. This can lead to reduced productivity or, in extreme cases, attempts to breech security controls to use unauthorized personal devices. The traditional, corporateliable strategy has many advantages, including governance and control of the devices, as well as the potential for an overall reduction in cost to employees and the organization for mobilityrelated expenses. Personal-liable approach to mobility devices Many employees say they would prefer to use their own personal mobility devices for business calls, email, and other work. Allowing the use of personally owned devices may boost employee morale and productivity and offer opportunities to reduce mobility-related expenses. However, in some cases the new expenses borne by employees may eliminate the goodwill associated with allowing employee-owned devices into the organization. Benefits of a personal-liable approach Depending on the personal device usage program, organizations may reduce their costs significantly. Many organizations offer their employees a fixed monthly stipend to help offset their monthly voice and data bill. This approach results in predictable mobile expenses for the corporation, and employees become responsible for the costs of their mobile devices and data plans. In this case, the mobility-related asset management expense associated with the acquisition, maintenance, and disposal of devices and the processing of payment for carrier invoices can be reduced or eliminated. In addition to the potential financial savings, organizations might receive other benefits such as being able to recruit and retain tech-savvy workers, who may have a strong attachment to a favorite mobility platform. When using a mobile device they like and with which they are familiar, employees can be more productive when working out of the office. Having a structured approach to personally-liable devices also reduces the likelihood of employees circumventing security controls to use unauthorized devices and allows the organization to implement policy and compliance requirements as a condition of use in the corporate environment. Additionally, organizations may be able to secure reduced monthly costs for service and premiere-level support from the carriers for their employees. 3

Many employees say they would prefer to use their own personal mobility devices for business calls, email, and other work. Allowing the use of personally owned devices may boost employee morale and productivity and offer opportunities to reduce mobilityrelated expenses. Costs for a personal-liable approach While the personal-liable model offers benefits for both employees and employers, security and governance become more complicated and expensive. When sensitive corporate information is stored on a corporate-owned device, the organization can implement and enforce strict controls on the operating system and other features of the device, such as Wi-Fi and Bluetooth to prevent unauthorized use of that sensitive information. Employees, however, are not likely to allow such an intrusive level of control over their own devices. To meet these compliance requirements, additional security tools, such as Network Access Control and Data Leak Prevention systems, may be required. Other solutions, including secure mobile messaging, mobile device management, and virtualization should be considered for segregation of personal data from corporate data, and to selectively delete corporate data in the event that the employee leaves or is terminated. Additional security measures may be required to mitigate the risks associated with employees installing applications from app stores. These untrusted applications may expose corporate data or infect other devices in the organization s network. In addition to security-related costs, the company might experience additional expenses to support multiple mobility platforms. With a small selection of corporate-liable devices, help desk support is limited to fewer devices. With the wider variety of devices that a personal-liable device program introduces, support costs may increase as more, and higher-skilled, help desk personnel are required. Similarly, application development costs may increase as the organization moves from developing applications for few platforms to a wider range of mobile devices. Dell s Mobile Application Platform helps to produce multi-platform tools that allows for one application to be deployed to a variety of mobile application platforms. Other concerns may be raised by human resources, finance, and corporate counsel. To mitigate risks to the organization, organizations must implement an employee agreement to address topics that include acceptable use of personal devices and corporate access to the employee s device. The financial arrangements relating to stipends or reimbursement of actual expenses should also be included in this employee agreement. Corporate counsel should carefully weigh any record-keeping requirements for SMS text messages or call logs made from mobile devices and evaluate potential legal consequences of capturing this information from employee-owned devices. Finally, employees may discover unexpected expenses associated with using their personal device for work. While their current voice and data plans may be sufficient for personal use, voice and data usage may expand dramatically when employees begin using their phone for work calls and applications. The increase in voice and data costs may be dramatic, especially for employees who travel internationally, where voice and data roaming charges are very expensive. In many cases, a stipend may not be sufficient to cover the increased costs. Alternatively, if the organization reimburses for actual costs, an employee may find that they spend several hours a month separating out their personal costs prior to submitting the bill for reimbursement. They may not be comfortable with providing their personal call detail records. Key considerations for mobility security Whether an organization chooses a corporate- or personal-liable model, or a hybrid, mobility security must be an integral part of an overall enterprise mobility strategy. This strategy should include the platform, applications, and data that will be offered through mobility technology, as well as expected users. It should also include an overall assessment of the organizations risk appetite. Dell s Enterprise Mobility Solutions can assist organizations in fulfilling their mobility strategy, while managing risk to an acceptable level. Mobile Device Management Mobile device management tools allow organizations to enforce corporate policies and validate security settings. Many tools offer an ability to delete all corporate data on the device, as well as data associated with specific applications. Secure Mobile Messaging Secure Mobile Messaging tools allow organizations to store corporate email and PIM data in an encrypted container on the device, separate from the data stored in the native device clients. The secure mobile messaging tool provides a method to 4

delete enterprise information while not disturbing other information stored on the device. Some secure mobile messaging tools also support message-level encryption that meets U.S. federal government standards. Mobile Application Platform Mobile Application Platforms provide a set of tools for the development of secure multi-platform mobile applications. These applications may be webbased, accessed via secure network connections, as well as applications that run in an encrypted container that prevents unauthorized access from other, malicious applications that may be installed on the device. In addition to these tools, new security policies and procedures may be needed to meet the challenges associated with this new mobility environment. Following are some questions to consider when deciding on what approach works best for your organization: Are there any specific concerns that would preclude the use of employee-owned devices? Information may be subject to Freedom of Information Act requests, or other regulatory or compliance requirements that preclude the use of personally-owned devices. Is there a catalog of devices that would be allowed to access enterprise applications and data? With each new platform supported in the environment, more management complexity is added. Even in a personal-liable or hybrid model, costs may increase as additional versions of enterprise applications must be developed and maintained. Is the organization willing to implement additional security controls to allow a broader range of devices? Not all mobility platforms offer the same intrinsic security capabilities. In some cases, deficiencies in a platform s security posture may be mitigated through the addition of security controls, either on the device or in the corporate network. Additional security measures may be required to mitigate the risks associated with employees installing applications from app stores. These untrusted applications may expose corporate data or infect other devices on the organization s network. Is the corporation willing to accept a short-term increase in risk to allow newer platforms access to data while the device s management and security tools mature? New platforms bring new opportunities and challenges. For each new device, and even operating system version, there may be a period of time when appropriate management and security tools do not exist. For corporate-owned devices, it may be an easy decision to delay upgrades. However, for personally-owned devices, employees may be unwilling to forego the latest updates. How will the organization respond to inappropriate material on a personally-owned device? This question may be one of the most critical and hardest to answer. Who decides what is inappropriate? Under what conditions could the organization examine the personal property of an employee? What are the laws in your jurisdiction, and do they differ whether the employee uses the device for their own convenience compared to when no alternative corporate-liable option is presented? If the risks associated with an all-encompassing personal-liable approach are too high, is there a subset of employees with a lower overall risk profile that might qualify for personally-owned devices? The personal-liable approach need not be all-or-nothing. While some employees or business units may pose too high a risk for using personally-owned devices, other employees may have a reduced risk profile that allows personally-owned devices. Some organizations take the approach that limited access to enterprise applications and data may be available to employees who otherwise would not need a corporate-provided smart phone. 5

Summary While a number of organizations consider implementing a personal-liable approach to mobile devices, careful consideration must be given to the benefits and consequences of this new approach. The finance department may view the potential reduction in phone bills as a driving force in transferring the liability for mobility costs to its employees. However, new risks associated with the loss of control over devices may outweigh any potential savings. Employees may be excited about the ability to use their preferred device for work. That enthusiasm will wane quickly when they begin to experience overage charges for their data plan. Human resources and corporate counsel will need to carefully consider the balance between employee privacy, recordkeeping requirements, and the obligation to create a workplace free of the inappropriate content that may be stored on employees devices. While it would be nice if there were a clear winner in the corporate-versus-personal liable debate, the appropriate approach will depend on the needs and risk appetite of your organization. Whether using either approach or both in combination, careful consideration of these topics is essential for a successful enterprise mobility security strategy. Bios Jeff Fawcett is a Security Practice Executive at Dell working with customers at the Strategy, Risk, and Architectural levels related to Mobility Security. He recently was the Director of Symantec s Federal Consulting Group where he also ran the Federal Cyber Threat Analyst Team. Before that he was Director of Altiris Consulting and VP of Consulting for Novell where he helped start their SSO, DirXML, and eprovision practices. A mixed background of 10 years in Consulting, 10 years as a Systems Engineer, and 10 years in Sales provides a unique perspective in the security area. Brandon Swain is a Security Practice Executive and founding leader of Dell s Enterprise Mobility Security Services. He was recently the Chief Information Security Officer for Parsons, a global engineering and construction management firm, where his responsibilities included establishing and maintaining security programs for Parsons projects for US Government projects, as well as commercial projects in the financial services and healthcare sector. Prior to that, he was a consultant Systems Integration and Security consultant for Dell Services. Dell and its affiliates cannot be responsible for errors or omissions in typography or photography. Dell and the Dell logo are trademarks of Dell Inc. Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products. Dell disclaims proprietary interest in the marks and names of others. 2011 Dell Inc. All rights reserved. August 2011 TheGreatDebate_WP.indd Rev. 1.0 20110815BROB

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information