Remote and hybrid work environments will likely become a permanent business fixture in the post-pandemic world. Such a rapid transformation has been made possible by productivity tools, high-speed connectivity, and the devices that employees use to perform their tasks.
However, the increasing use of and reliance on mobile devices comes with risks. It calls for crafting and enforcing measures to ensure data security.
The Ubiquity of Mobile Devices
Mobile devices — laptops, 2-in-1 hybrid computers, smartphones, or tablets — are everywhere. And everyone is using their smartphone or laptop for daily tasks, communication, shopping, banking, and even entertainment. They are valuable tools for productivity in the workplace and at home.
With a tablet, for instance, an employee can be productive anywhere. Whether in the office, at home, in transit, hotel room, airport, or cafe. She can access her work email and productivity app. In a sense, the tablet becomes her workstation where she keeps records, logs data, communicates with colleagues, and even transacts payments. She can also check on her family and friends on social media. A lot more can be done with a mobile device.
However, while mobile devices are valuable, they’re also a security risk. It’s only fitting to enforce fair policies on their usage by employees working in remote and hybrid environments. Because as enterprise endpoints, smartphones or tablets are easy targets for attack by cybercriminals.
Attack Surface Expanding
Most services, apps, and back-end systems designed for PCs and laptops are integrating smartphones and tablets. Such integration creates another layer to the attack surface, another way for attackers to get at critical data. With employees having permission to access corporate data through their network-connected mobile devices, the attack surface expands, making data protection more complicated.
For cybercriminals, there’s no device that’s not susceptible to threats and attacks. They can infiltrate networks through mobile devices. A personal smartphone, in particular, is harder to secure, due to multiple applications installed, opening several entry points for the hackers to exploit.
Threats and Security Measures
The common risks for mobile devices are device loss and theft. But hackers prowling in the dark employ various social engineering and phishing techniques. They intercept communication between devices and networks and then infect the application and penetrate the system. If an employee lacks cybersecurity awareness, corporate data could easily be compromised.
There have been steps that IT teams have adopted to improve their security postures, such as zero trust, password management, two-factor authentication, device tracking, and application and network monitoring. Third-party security providers also offer measures usually set in a package that includes managing mobile devices, endpoints, and applications — minimizing access to public networks and training workers on mobile security awareness.
Securing Mobile Devices
The organization is at risk as soon as employees with access to corporate data connect their devices to networks, applications, and services. And a remote workplace environment exacerbates this risk as the transmission of information from the endpoint to the central server or cloud passes through multiple layers of interconnected networks. Without protocols or security policies set in place, it builds a paradise for cybercrime organizations.
How then should a company implement protocols on employees’ use of mobile devices in the workplace in a way that balances productivity and security?
Approaches to Mobile Device Control
There’s no question that the use of mobile devices provides employees with flexibility, as they can be productive anywhere they are. Collaborative work will be much easier and convenient when team members can access emails, send messages, or track their projects and workflows in real time, whether they are in the office, at home, or on the go. They can do more with a single device — from communication to data input to scanning and signing documents.
The problem lies in the use and access of non-work-related apps and the browsing habits of employees, which could potentially put company data at risk. Then there’s also the issue of the use of home Wi-Fi and unsecured public networks.
There are three approaches for a company to adopt in their policy on the use of mobile devices.
Bring-your-own-device (BYOD) Policies
When employees use their devices for work-related tasks, it provides flexibility and convenience. An employee carries only one device and uses it with familiarity as it becomes an extension of herself. The company spends no additional cost on the purchase of the device.
However, an employee’s personal mobile device is hard to protect due to its multiple uses. And then there’s the issue of privacy and personal space for employees that they do not want their employers to have control over. Security can thus be more lenient. This approach, although convenient, is less secure.
Company-owned, Personally-enabled (COPE) Devices
Providing employees with mobile devices for work and personal use would incur costs for the company. The use of a single mobile device is easier for the user. But with a company-owned device, the user will be more disciplined in demarcating work-related tasks and personal matters.
The approach has a BYOD feel. But it might not be necessary at all since everyone carries a smartphone. As to the security protocols, it presents an ambiguous situation for the user and the company. A thin line separates personal privacy from the all-seeing eyes of company trackers and monitoring tools.
Company-owned, Business-only (COBO) Devices
So far, this approach is more secure as an organization will have more control over the use of the device. The IT team can enforce stricter security protocols, including cleaning off the user’s stored personal data. It is much simpler to manage the expectations of both employees and the IT security team.
Applications undergo a rigorous security check before installation. Plus, the device has to be monitored, complete with data logs. Security is tighter, and the line that separates work and personal use of a mobile device is clearer. The only downside is that the user carries multiple devices, which might be counterproductive.
In Defense of Company-issued Devices
The IT security team can easily control and track company-issued devices used solely for work purposes. They are easy to manage compared to employee-owned ones. Mobile devices offer flexibility. But from a data security standpoint, corporate-issued devices are much safer, unlike employees’ personal mobile devices.
A company-issued device might incur more costs on the company, but the investment could be worth it rather than paying the price of lost data. It has clearly defined parameters on security, compelling an employee to understand the limits of device usage. This approach might be the more logical policy to adopt, particularly in businesses with high security needs, as it allows organizations to have more control of the device and security oversight.