Five Steps to Creating an Effective Mobile Device Policy
Mobile devices are ubiquitous these days and have evolved to the point that it’s like carrying a fully capable PC in your pocket. The benefits of so much power and information in such a small, portable device are offset to some extent by the increased exposure to risk that comes with it.
It’s relatively futile—never mind being a shortsighted business strategy—to try and prevent the flood of mobile devices into the workplace. Whether the devices are company-issued smartphones and tablets or personal iPhones and iPads being brought from home, mobile devices are a reality that IT has to face. The first step to effectively managing the mobile devices in your environment is to establish a clear, written policy governing their use.
Here are five factors you should consider in creating your mobile device policy:
1. Accept up front that one size won’t fit all
Those who travel have legitimate needs for mobile devices and enabling people to work during the train ride home will increase productivity. However, access to network resources from mobile devices, and the ability to store company data on iPhones or iPads should not be allowed to expose the company to any more risk than necessary.
Executives often simply ignore rules that don’t suit them, and others will find ways to circumvent the rules if they get in the way of using their new toys. The trick is to find the balance that provides appropriate access for those who need it and not trying to apply the same rules and conditions to all users. The closer your policy comes to what people need, the easier it will be to get them to take the steps necessary to ensure that data security is maintained and that your policy is followed.
2. Have your goals clearly in mind
Identify what you want. The goal is to empower users to perform their tasks from mobile devices without exposing network resources to addition risk or compromising company data—not blocking devices or services.
You may want to ban some services or protocols to ensure that your Internet connection or wireless network isn’t tied up with Netflix or YouTube videos or other high-bandwidth applications. Keep the first point in mind, though, and consider that some departments or users may have an actual business need to access those services. In general, look for ways to deliver services securely, using encryption, strong authentication, and the security controls available, rather than trying to completely lock down access from mobile devices.
3. Get consensus from as many departments as possible
This is a cardinal rule of any IT project. Lay out the issues for managers to make sure everyone is on the same page. Explain that letting users bring in their own devices can save the company lots of money on mobile device hardware and maintenance and help users be more productive. On the other hand, unsecured mobile devices pose a threat to the company due to the risk of data being lost or stolen and from the associated losses to productivity, fines or suits if customer data is lost and the company’s reputation is damaged.
Present both the benefits and concerns, and request input from managers. Feedback that helps you understand how various teams use mobile devices, what resources or data they need access to, and any potential stumbling blocks will help you craft an effective mobile device policy with the best odds of success. Mobile device management tools, such as AirWatch, MobileIron, or MaaS360, let you manage mobile devices remotely, ensure protection, and enforce company policies at the same time.
4. Develop both a carrot and a stick
If you ask users to allow the IT admin to manage their personally owned mobile devices and enforce security policies on them, you’ll also need to provide some incentive.
Make sure users understand the responsibility that comes with using personal mobile devices for work and that they’re aware of the need to protect company data. Explain the benefits of having the IT admin maintain and enforce security policy on the device—it also provides better protection for their personal photos, contacts, and other sensitive data. It’s also important that users understand that the company might remotely erase all corporate data from a lost or stolen mobile device and that it will most likely wipe all of the user’s personal data as well.
The upside for users is that they get to choose the smartphone or tablet they prefer and use the device and platform they’re most comfortable with. It also typically means newer, better hardware than users are accustomed to with company refresh cycles. A mobile device management (MDM) platform, such as AirWatch, MobileIron, or MaaS360, makes it simple for IT to manage mobile device security and protect both the company and the user.
5. Be ready to enforce the new policy
Once the policy is established, it has to be enforced. Use a combination of network access control (NAC) and MDM to make sure mobile devices are being used appropriately and to protect network resources and company data.
MDM gives the IT admin the tools to monitor the mobile devices in the environment, generate reports to review how mobile devices are used, and make sure users are complying with the mobile device policy.
A NAC device, like the Cisco Secure Access Control Server 1121 Appliance, scans all devices attempting to connect to the network to determine if they meet established company security policies and ensure they’re properly patched and updated. Devices that don’t meet the requirements can be denied access or redirected to the resources necessary to get compliant and access the network. Cisco’s Identity Services Engine (ISE) aims to improve visibility of all devices and associated user activities on an organization’s physical and virtual networks and works in tandem with an MDM solution to provide a full enterprise mobility strategy.