With the General Data Protection Regulation (GDPR) set to take effect in May 2018, many organisations are looking at potential vulnerabilities where sensitive data could be lost or exploited.
And of course, from the perspective of Bring Your Own Device (BYOD) there are major concerns around the transfer of data between the cloud and devices. Locking down data in apps accessing cloud services and securing your mobile devices has never been more pressing, in order to avoid the substantial fines and reputational damage your business will be exposed to should a data breach occur.
CIOs should be very aware that this isn’t an issue to be ignored. They might estimate around 30 to 40 cloud apps are running in their organisation at any one time, but in reality, this figure is probably much higher due to employees’ tendencies to download and run unofficial apps with questionable security protocols.
After all, the proliferation of powerful personal technology available to the masses has led to an influx of mobile devices flooding the personal lives and professional lives of employees – in fact, it has now become an expected norm for employees to use their own devices. There are no doubt positives: these devices drive productivity and enable flexibility, but as many organisations have discovered, smartphones can blur the boundaries between the working day and out of hours use.
Where do we draw the line and what are the threats when considering BYOD within the context of the GDPR’s stringent compliance rules?
Do you know which mobile devices your corporate data is on?
We’ve all heard the stories about sensitive data being downloaded onto insecure servers – it was a defining theme in last year’s US election for instance – and the typical employee is no different.
Corporate data is downloaded from secure company cloud services onto personal iPhone or Android devices and files are often then saved to personal unauthorised services such as Dropbox.
As a result, there is a danger of data being leaked and with GDPR just around the corner this is a concern for those in charge of data security and privacy. Do they really know where all their corporate data is or which mobile devices it is sitting on? Do they know who is downloading it and is corporate data being accessed from unauthorised devices?
>See also: The untold implications of GDPR
However, there are several steps you can take to ensure that data is locked down on the mobile devices floating in and around your organisation.
Three vital steps…
A good example could be a law firm. Lawyers make extensive use of mobile devices to access legal documents when working remotely, perhaps at court, or at client locations. If a device is lost or stolen, the consequences could certainly be severe, not only for the firm but also its clients.
To secure corporate data that is downloaded to mobile devices, three steps are required:
• Discover who is accessing cloud services and from which devices and apps.
• Lock down the data in those apps and devices.
• Monitor and analyse the apps and devices for compliance.
• This is essentially a layered approach which incorporates a number of elements such as device authentication, data encryption and the ability to remotely wipe data if a device is lost or stolen.
Block attack vectors
There are a vast array of security steps an organisation can take to secure mobile devices accessing cloud services, such as monitoring data sharing; secure operating system architectures and managing application lifecycles so there are no out-dated applications running.
>See also: Data Protection Day: it’s important
These not only safeguard against device loss or theft, but also defend against other threat vectors such as always-on connectivity, software vulnerabilities, untrusted public Wi-Fi networks, Wi-Fi sniffing tools and sophisticated man-in-the-middle attacks.
At the same time, it would be wise to also protect against employees jail-breaking devices, downloading cloud-based apps that aren’t approved and guard against rogue employees attempting to access business data for nefarious purposes.
Keep it streamlined
Security is obviously the number one priority. However, it should not become prohibitive to the end-user experience. Ask a user to login multiple times with a complex enterprise password and they are sure to get locked out and call your helpdesk, stop using the applications and suffer a loss of productivity or worse, find their own workaround solution that may threaten your BYOD strategy.
From an end-user’s perspective, there should be little change in what they can do with their device other than only use authorised apps and services and be informed as to why this is the case. Importantly, it should be also easy to use their devices irrespective of how many cloud-based apps they are running.
Providing a secure single sign-on experience will allow them to only sign-on once and not for each app. This keeps things simple and ensures users won’t attempt to circumvent controls out of frustration.
From an IT perspective, it brings a sense of control and security and helps meet GDPR requirements, by identifying areas of risk such as unauthorised users, apps, and devices and blocks them – securely locking down cloud-based apps and data so that critical business information is protected.
Embrace your fate
Organisations embracing BYOD mustn’t be put off by the advent of GDPR, but instead, use it as an opportunity to batten down the hatches when it comes to expanding their mobile device strategies.
Rather than opening them up to more risk, a strong BYOD strategy may even help an organisation to better prepare itself for the changes coming early next year, as long as they start to implement these changes soon.
Sourced by Vijay Pawar, Sr. director Product Management, MobileIron
The Women in IT Awards is the technology world’s most prominent and influential diversity program. On 22 March 2018, the event will come to the US for the first time, taking place in one of the world’s most prominent business cities: New York. Nominations are now open for the Women in IT USA Awards 2018. Click here to nominate