Why mobile devices should never be 'trusted'
Enterprise mobile device adoption has soared in recent years, due to the realisation that enabling a mobile workforce benefits productivity and can improve employee retention. Despite these positives, unrestricted access to company data creates a host of security risks, such as data exfiltration and unwarranted access to confidential data.
In a bid to secure corporate devices from these risks, many IT teams have turned to the ‘trusted’ device security model. But this method of securing devices is full of pitfalls. It is time that IT teams re-evaluate their mobile security strategy – and stop trusting ‘trusted’ devices.
The definition of a ‘trusted’ device
For a device to become ‘trusted’, it usually goes through a security procedure that places a software agent on the device. This agent directs traffic to the corporate network so that security checks like passcodes and up-to-date operating systems can be performed. After these checks, the device is usually given unfettered access to the corporate network. Whilst this is great for the remote worker who wishes to access company information to work, it also means that sensitive data could be exfiltrated – without the IT team knowing.
The Apple of IT’s eye
With the rise of mobile, Apple’s iOS devices have grown to become both the consumer and enterprise’s first choice. 80% of corporate devices used globally are iOS, according to the Mobile Security and Risk Review. Android, on the other hand, accounts for just 18% of these devices. Not only do employees often favour Apple, but it is also often considered the more secure option by IT teams. A recent Jamf study found that 90% of IT professionals believe Apple is the easiest mobile device to secure. This is down to Apple’s closed operating system and well-known focus on security.
A cause for concern
Although today’s mobile platforms are increasingly secure, they should not be provided with this ‘trusted’ status – even Apple. This is because all devices are vulnerable to loss, theft, and cyber attacks that target the data on the device, rather than the device itself. The trusted device model can give employees access to highly sensitive corporate information. With some of the world’s largest banks and even government agencies using this model, there is cause for concern. When it comes to enabling flexible working, the risks of excess data sharing, stolen credentials and a lack of visibility need to be the focus – rather than securing the device.
Some IT teams have realised that ‘trusting’ a device does not equate to good security. In a bid to regain control over mobile devices, some organisations have turned to Mobile Device Management (MDM) and Mobile Application Management (MAM). These solutions install agents on mobile devices so that the IT department can manage them centrally.
Whilst this might sound appealing to the IT team, it’s a solution to be considered hesitantly, because many employees are wary of having such software on their device. This is because the software agent on the device can track the person’s location, see which applications are installed and even see their browsing history and personal files and photos. A recent Bitglass study on the use of agent-based mobile security found that only 44% of employees would accept having MDM or MAM installed on their personal devices. Ultimately, many see MDM and MAM as an overly invasive means of securing BYOD.
Data security is imperative
In the same Bitglass study, more than two-thirds (67%) of employees said they would be willing to participate in BYOD programs if their employer had the ability to protect corporate data but could not view, alter, or delete their personal data.
Instead of tracking all activity, companies should only track corporate data. Additionally, rather than controlling every aspect of a mobile phone, they should limit access from risky devices and destinations. This means that the user experience remains untainted without impacting the security of a company’s sensitive data.
In order to meet these specific needs, companies must look towards ‘agentless’ BYOD solutions. It is unsurprising that these ‘agentless’ mobile security solutions are quickly gaining adoption in the enterprise, with Gartner predicting that this year, more than half of all bring your own device (BYOD) users that currently have an MDM agent will be managed by an agentless solution. Unlike the MDM/MAM alternative, security solutions that do not rely on a software agent installed on the device itself can be set up so that they only monitor corporate data.
The ‘trusted’ device security model is no longer fit for purpose. As the workforce becomes increasingly mobile and reliant on devices to be productive, IT teams must switch their focus from securing the device to securing data. Rather than focusing on whether or not a device is ‘trusted’, IT teams should ensure that company data is safe, no matter where it travels.
- » Latest Okta report showcases increased enterprise need for security apps and tools
- » Mobile mitigations for Meltdown and Spectre: A guide
- » Going digital with the enterprise machine: The importance of an embedded app store
- » New report assesses how organisations are facing issues with collaborative working
- » Optimising the care pathway: A vision of connected healthcare delivery