Organisations are facing the growing problem of managing the increased number of mobile devices being used by employees in the workplace. Jorina van Rensburg, Managing Director of Condyn, discusses how companies can balance their employees’ right to privacy with maintaining enterprise security.
Given the number of mobile devices employees use, companies are under pressure to manage these multiple touchpoints in the organisation more effectively. But too often, security falls by the wayside in the rush to make communication easier.
One of the most significant obstacles is knowing where to draw the line between personal and corporate use. Err on the side of too much freedom and the business can be viewed as afraid of infringing on the rights of employees. The flip side is also true. Placing too much control in place and the organisation is painted as Big Brother spying on the personal lives of employees.
The more personal devices are involved on the corporate network, the more difficult it becomes to manage. And then there is the small matter of ensuring that employee devices (and the multitude of platforms being used) can access the corporate network and vice versa. This can become an expensive and complex process depending on the size of the organisation.
Managing change
Consideration must also be paid to how quickly mobile technologies evolve with security solutions struggling to keep up. This is especially the case when it comes to the human factor, for example data theft. With more personal devices accessing mission-critical information, decision-makers are finding it difficult to maintain an efficient (and secure) corporate perimeter.
A few years ago, social networks, cloud storage and Internet of Things devices were not widespread. Employees did not use their own devices at work and could not easily download a large amount of data to a removable disk. Telephones were used only as a means of communication. Today, things are a bit different. Mobile phones can store a significant amount of data, access the internet and be used for remote work. And while it would be nice to control all this activity, the employers have no right to do this as these phones are often the personal means of communication for employees.
Fortunately, the company has the right to forbid personal devices connecting to the organisational IT infrastructure and provide employees with corporate phones for business use. If devices belong to a company, special monitoring systems can be installed on them. The downside is that employees will be aware of the control and will still prefer to use their personal phones.
This is where Mobile Device Management (MDM) comes in to help regulate the use of devices in the workplace. It enables the business to monitor in real-time how mobile devices are used and what information is accessed. MDM solutions, such as those developed by SearchInform, can block unknown devices that are trying to connect to a source with confidential information. And any data stored on lost or stolen mobile devices can be erased remotely to further safeguard the organisation.
Regulatory affairs
With the South African Protection of Personal Information Act (POPIA) and the European Union General Data Protection Regulation (GDPR) looming, standards will be set regarding the rights of users (specific to data on the network).
For example, the GDPR clearly determines the limits around data usage and indicates which information is personal. More importantly, it gives users the right to have their data removed. Previously, this procedure was much more complex as there was no standard to adhere to.
But even before these and other legislative requirements, companies and countries had their own established procedures, ideas on personal data, information security and regulations. With all these elements becoming more formalised, organisations must ensure that they comply with all these regulatory elements or face significant financial fines.
The reality is that managing mobile devices, employees’ use of data and network resources, and securing all potential entry points on corporate infrastructure, have become significantly complex. Businesses need to have the right systems, policies, and procedures in place to mitigate these threats or risk opening themselves up to malicious attacks (both internally as well as externally).
Today, most organisations allow employees to use their personal devices. But it must be remembered that these should not be viewed as data channels. Instead, the business should use them as information receivers that access data through those channels managed (and protected) by the organisation.