Once upon a time, the only computers people used at work were those paid for, owned and managed by the company and its IT department. One wouldn't even think of lugging in their home PC to use in the office. Why would they?
Even as laptops came into prominence, the few employees that both owned laptops and needed to use them for work purposes had to go through the IT department to have a VPN client and security software installed.
Today, things are quite different. As smart phones continue to get faster and cheaper, more and more employees are walking around with tiny, yet very powerful computers in their pockets. And while many businesses give out and administer smart phones for employee use, in most cases, these are personal devices. This presents unique challenges and considerations for company IT departments.
As an example, I bought an iPhone for personal use three years ago. I loaded it with news apps, music, personal finance apps and personal notes and have been adding more and more of my own data and applications to it as time goes on.
But I also use it for work at my day job. The minute I put in my company's email server credentials into Mail, I transformed the device into a strictly personal one to one that has access to some pretty sensitive company data. I also keep meeting notes in Google Docs (synced between the desktop, iPhone and now my iPad) and share files with colleagues in Dropbox.
If my iPhone were ever stolen or lost, all of that corporate data would suddenly be vulnerable, unless I have the necessary security measures in place.
With so many employees accessing corporate data from personal devices, how can IT departments properly manage the security of these devices without being too heavy-handed?
This is precisely the question that Forrester seeks to answer in one of their latest reports on mobile security. In it, they examine some of the biggest potential security risks that come with the proliferation of personal devices in the workplace, as well as what companies can do to alleviate those risks.
A Few Commonsense Security Measures
There are many obvious advantages that come with the portability of these devices, but one of the drawbacks is that they can easily left behind in a cab or stolen.
Simple steps like password-protecting phones and enabling remote locking and wiping of the device can go a long way in keeping company data safe.
Another issue is malware, especially as Android grows in popularity. Whenever possible and appropriate, anti-malware software should be deployed on any device that accesses company networks or data.
Forrester recommends some basic regulations that should be included in any corporate mobile security policy. Among them:
- The IT department should be allowed to manage any device that has access to company networks and data. This should, of course, be done while still respecting the user's privacy.
- The company's usual Web usage policies should apply to personal devices, as long as they're being used at work.
- The company's IT department should be able to monitor usage while the device is being used on the company's network or premises. They should also have the freedom to restrict access to corporate data if necessary.
- If the device is stolen or the employee leaves the company, the IT department should be able to wipe company data from it remotely.
For more sensitive industries and government agencies, Forrester recommends far more restrictive measures, such as limiting the applications employees can use to access company data.
Does your company have a policy in place to deal with the security of personal devices in the workplace? Let us know in the comments.