By Anurag Kahol, CTO at Bitglass
The majority of organisations today have a BYOD and remote working policy, driven in large part by employee demand and the clear productivity gains companies see where they enable mobile access. Despite the benefits, personal devices in the corporate setting create something of a headache for enterprise IT.
Unsecured, personal devices and the growing use of cloud services can lead to data loss. However, IT team risks alienating employees if overly restrictive. Where employees look to work around IT, they put data at risk. Eliminate BYOD altogether, and the company loses the productivity benefits of a more mobile workforce.
Mobility, privacy, and security are all critical priorities for different business stakeholders. IT is left in the middle, struggling to juggle and balance the needs of the business.
IT teams need to protect corporate data on mobile devices to limit data breaches and to comply with data protection regulations. In a bid to secure these devices, many look at Mobile Device Management or Mobile Application Management software to impose some controls on personal devices. Because these solutions involve installing software agents on employee phones and tablets, they can give IT teams deep visibility over an employee’s personal activity.
Whilst this approach gives IT teams a handle on BYOD security, it destabilizes the BYOD balancing act because it doesn’t consider employee privacy. It is also a logistical headache. In placing a software agent on employees’ personal devices, many organisations will institute a policy like always-on VPN (Virtual Private Network), routing all traffic through the corporate network. It allows IT to keep an eye on corporate data, but also means that users’ private banking activity, social activities, and other irrelevant personal information is proxied and logged via the corporate network. This approach can lead to resentment among employees as their personal activity is tracked by the corporation and could be misused.
People are increasingly concerned with the extent to which their privacy is diluted by online activities. With data breaches in the news and regulations like GDPR driving awareness of privacy rights, it’s no surprise that privacy is a priority for many in the workplace. A Bitglass study found that more than half of employees choose not to participate in their company’s personal device programme because of privacy fears.
Employees expect to be able to work when and where they want. However, if employees feel that a BYOD programme puts their privacy at risk, they might go as far as to work around the IT team. This avenue forsakes security in favour of privacy and is best avoided as IT loses visibility into how corporate data is being used and its ability to protect it.
Left discouraged that they can either see too much or too little when it comes to BYOD, some IT teams might choose to ban BYOD programmes altogether – solving their security and privacy infringement woes. But this approach is no doubt a step back because it hinders mobility. Employees value the ability to work when and where they want. Deloitte found that workers with access to flexible IT policies were happier than their counterparts with non-flexible conditions. Limiting access to corporate files to just the company building also inhibits productivity. A recent study by Regus found that 74% of managers believe that flexible working is the key to workplace productivity.
How to balance it all?
IT managers might feel that it’s inevitable that privacy or mobility be sacrificed in the name of security. Fortunately, there is a way to balance all three.
Instead of controlling every aspect of a personal mobile phone, forward-thinking IT departments are approaching the problem from a data access standpoint. That is, how best to control access to sensitive data from the application instead of from the endpoint. With such an approach, IT teams don’t have to place a software agent on personal devices at all. Existing solutions take this approach using proxy technologies, rather than client software, meaning that they are “agentless”.
In practice, agentless security means faster rollout times and fewer privacy implications for employees because visibility and control are limited to corporate data. These solutions can still offer critical security functions, including data loss prevention and remote wiping of company data, by intermediating traffic and taking action before data reaches an endpoint.
Mobility, privacy, and security are all equally important. To better accommodate employees, keep the C-suite happy, and keep corporate data secure, IT teams need to turn their attention away from invasive endpoint-based tools to more focused security that addresses the underlying data security challenge.