10 Controls You Need to Make “Bringing Your Own” to the Corporate Network Safer

You fill in the blank.  Call it an iPhone, Android, or just use “device” as the phrase has been recently coined.

Employees love their personal devices!  They are attached at the thumbs.  They choose them with the care of naming a first born child.  Separation from them causes anxiety.  We now use our personal devices at home, work, and play while we are everywhere and anywhere! If a device is used personally and is also used to connect to the corporate network, what does an organization need to do to manage that risk? Why should employers even take that risk?

We know there is risk but what is the reward? It is simple: The reward is productivity!  So we have to reduce or manage the risk while we have efficient security practices in place that do not deter us from productivity.  How do we get the control we need and the visibility of the mobile devices that connect to our networks.  Also, how can we do this as it is happening?

A Smartphone, although different from a PC in some regards, shares many of the same traits.  We need to be concerned about viruses and malware on our phones, just like we need to be concerned with them on our PCs.  This could come as a shock to some people, but in the early 90’s I addressed a team of corporate executives of a financial institution (as their Corporate Information Protection Officer) about the needs of virus protection for our PCs as an exercise for funding.

Remember it was the early 90’s.  They were befuddled about how a PC might catch a virus and wondered out loud how it would sneeze and cough?   Luckily they trusted me enough to allow me to begin the program after I explained what a virus was in the simplest of terms.

I wonder if they remember that moment of cajoling when, just a few years later, stories of viruses hit mainstream news.  I knew from my peers in the 90’s, many of them could not gain the same support in their organizations at that time and experienced a lot of pain when the viruses became rampant.

Today things are different.  The news is filled with actual stories of real breaches resulting in real financial loss. Corporations have a great seriousness about security that I have never witnessed before.  What is not widely known are the actual protections or abilities to protect that will lower the risk to an acceptable level and provide the nimbleness required in this decade to be competitive.

The merging of private and corporate activities needs good tools and services to manage them appropriately.

 Any product or service on the market today needs to address, at minimum, the following 10 controls:

  1. Anti-virus  &Anti-malware protection;
  2. Device locate and lock;
  3. Device wipe;
  4. Device backup and restore;
  5. Application monitoring and control;
  6. Control corporate data delivery so it is delivered securely;
  7. Enforce network based policy Traffic, URL, and email filtering;
  8. Traffic, URL, and email filtering;
  9. Web Security, and;
  10. Data Leakage Prevention (DLP).

I remember when I got my first smart phone.  I immediately recognized how easily important and private information could be lost.  I also saw that updates to my Smartphone were as important as those to my PC, if not more important.  I thought about the value of the device itself and whether it was worth the risk and the effort.

Because of this, I was a bit of a late adapter to the Smartphone world.  Many people, judging by my friends and family, were not thinking that way and some still don’t.  And many of them have had to deal with resolving transactions that they did not process but their credit card companies or friends think they did.

If I worry that I am going to lose my PC, I am even more concerned about the possibility of leaving my Smartphone behind.  It is so small it could fall out of my pocket or be left on the seat of the train even more easily than my laptop could.  The data that is on it needs to be protected from someone who might pick it up and develop dollar signs in their eyes when they realize I have corporate information and perhaps corporate secrets on it.  The ability to wipe it remotely becomes very important.

If you manage several of these devices or are concerned about what can happen, you should investigate a technology that helps to control Smart Devices.  You can get more information here.

Both our work and persona lives are contained on our smart devices. Our pictures, our contacts, our information searches, our medical information, our purchasing decisions, our daily calendars, even travel habits and plans are on them.   If I am going to buy the device and use it for work, my employer will need to help me protect it with the kind of stealth that an enterprise protects their data on any other platform in the company.

Once I connect to the network, the asset is not just my data and the physical device, the corporate information makes it our asset, not just mine.  This is a new concept that employees and employers are learning to embrace.  Awareness needs to address this joint interest in protecting the information on the device.  This is critical to ensure this does not get ahead of most of us like viruses, worms and Trojans did in the early PC days.

What steps do you see organizations implementing to protect devices used by employees in both work and personal use?  What would you advise to increase safety and minimize the risk of losing valuable data?  We look forward to your comments.
Susan Prescott Technology Security Principal AT&T About Susan