As technology continues to advance, the policies and processes to manage those technologies often lag. Nowhere is that more evident than with the BYOD trend and enterprise governance and security practices. Many organizations use information sharing policies that evolved in an earlier, simpler time but don’t adequately address what’s happening in today’s networks.
The corporate IT environment has been a rapidly expanding universe over the past few decades. In the age of the mainframe and dumb terminals, information sharing was easy if everyone was on the same system. With LANs and client/server architecture, maintaining control over information sharing became more difficult but still somewhat centralized.
According to Cisco, the number of mobile-connected devices today exceeds the global population. In this age of wireless networks and personal mobile devices, most of us are connected to networks by the phones in our pockets, whether we realize it or not.
This ubiquitous connectivity has a wonderful upside – sharing information is much easier than it was even a few years back. And we’re all more productive. Enterprise Management Associates estimates that around 70 percent of U.S. workforce uses smartphones and tablets for work.
The downside, of course, is the increased risk to the organization of this new connectivity and information sharing.
With so many personal devices, there are more potential points of malicious access. A rapidly growing body of malware exclusively targets mobile devices. Because people are using their own smartphones and tablets to access work information, it’s harder for IT to make sure that the devices are secure or to know when sensitive information is being shared.
For many organizations, information sharing policies and practices have evolved from the earlier days when control was more centralized. Mobile information access is still treated as a “one-off” special case. However, mobile use is quickly becoming the norm rather than the exception. In the absence of well-defined policies and technologies for mobile information sharing, users will improvise.
Why You Need a Plan Today
The longer you delay proactively addressing mobile information sharing, the more people become accustomed to taking ad hoc measures for sharing information. And those ad hoc measures rarely align with your business requirements when it comes to sensitive information.
The single most widely used file transfer method for business data today is the simple email attachment. Why? Because it’s there and it’s easy. Yet few businesses have visibility into exactly what data is coming and going through their email attachments, where the information is going and what happens once it gets there –if it gets there.
A growing number of cloud-based file sharing services make it easier than ever to share files using either desktop systems or mobile devices. Dropbox is one well-known example of these services emerging from the consumer space. While designed for simpler processes like photo sharing, these services are making their way into businesses because of their simplicity.
While Dropbox is enormously convenient and may be appropriate for some uses, it falls short of meeting enterprise requirements for visibility, security and control. The problem is even more urgent if the information being shared includes regulated data, like customer or patient data, employee information and account information. While it’s easy to put controls around the databases and applications that process structured data, it’s much more difficult to track that information once it’s exported into a spreadsheet or copied into a document or report. These are the types of files most often accessed via mobile devices.
It Doesn’t Have to Be Complicated
The good news is that mitigating the risks of mobile information sharing isn’t that difficult. You might want to plan for every contingency, but it’s more important to get something out there right now that covers most of the remote data sharing occurring in your organization or the most important file exchanges. Your objective should be to support the file sharing and information exchange that people need in order to perform their duties, while maintaining controls around and visibility into your most important information.
As always with security, the key to success is a layered approach. Start by prioritizing types of data and classes of users. Look at the different use cases you need to manage and then develop ways to mitigate the risks to your business information to an acceptable level for those use cases.
The development of where files can and should reside is critical to a successful plan. The answers may vary depending on the type of information. Should corporate files reside in a cloud-based service? Is that appropriate for some types of information and not others? What kind of controls and audits will be needed around information sharing? Policies will vary depending on the types of information being exposed.
An action plan will undoubtedly include policies, processes and technologies. A successful action plan will balance the three.
- In general, it’s more cost-effective and practical to put technology protections around the data being shared than to try to lock down every mobile device your employees and contractors might want to use. The complete banning of mobile technologies is rarely practical and almost unenforceable.
- While data sharing policies are an important part of the action plan, it’s rash to rely on policy alone. If people need to get something done, they’ll find a way, even if it may be against policy.
- A monitoring plan should also be considered. As with any business policy, it will be difficult, if not impossible, to manage what you are not monitoring.
It Does Have to Be Easy to Use
You already have competition: the ad hoc measures that users are inevitably using today. Whatever practices you put in place must be easy to manage and cause the least amount of disruption to their daily work as possible, or people will simply go back to their ad hoc methods.
From the user’s perspective, being easy to use means the following:
- It can work with their own mobile devices.
- Users don’t have to go to IT to get software on their mobile devices.
- It doesn’t have a big software learning curve.
- Users can access the files and information needed when in transit or at home.
Taking Action Now
Even as you read this, someone in your company is emailing themselves an attachment to access it on another device or synching a folder with a cloud-based file exchange service. Mobile information sharing is here to stay and will continue to increase in use, which is why it’s important to get ahead of it today.
A phased approach can be the easiest approach. For example, some mobile device management solutions address mobility risks. Implementing mobile device management can be a major technology project with numerous implications. Even while you analyze those solutions, you can put protections in place around email attachments and mobile file access, provide alternatives to Dropbox-type services and communicate information sharing policies to mitigate risk.
By putting some basic processes, technologies and policies in place, businesses can immediately achieve better control over sensitive data and visibility into information being shared over mobile devices.