mobile-security

How to Build a Flexible, Secure Mobile Policy in 5 Steps

Spice IT

by |

Mobility is top of mind for everyone these days. The number of connected devices continues to grow as we transition from The Internet of Things to The Internet of Everything. However, we continue to struggle with building an effective strategy to manage mobile devices. I see a myriad of policies that are attempting to address things like smart phones, tablets, bring your own devices (BYOD) and so on, but very few organizations are successful in implementing these. Luckily the technology already exists to make this process easier, so the focus of this blog is to make sure you go down the right path when building a flexible, but secure policy.

1. The Business Problem

There has to be a business problem to solve. I often find myself talking to folks deploying mobile device management (MDM) to hundreds of tablets and smartphones, while trying to implement encryption, containerization and virtual desktop infrastructure (VDI), only to find out that the business didn’t even ask for it, and sometimes had no idea this project was even underway. It is true that consumerization isn’t stoppable, but it is important to understand that end users today are more tech savvy than ever before, and they come to work expecting the same experience they get on their mobile devices at home – fast Wi-Fi, ability to install and update apps just like Apple’s App Store, productivity apps like Dropbox to share files and high-quality video conferencing like Skype and FaceTime. Keeping that in mind, and knowing that it may be impossible to give end users the ‘same’ experience with today’s enterprise IT systems, they must be a part of your overall strategy. Building strong relationships with each business unit leader, taking the time to understand what their needs are, and how mobile technologies could solve them will yield happier end users and will make your deployment much more successful.

2. The Integrated, Living Mobile Policy

Most organizations already have some sort of IT Acceptable Use Policy, and many have a number of policies around data loss prevention, obility, BYOD etc. that most employees don’t even read (and often forget). The first thing you need to do is develop a comprehensive, integrated policy that is easy to understand, and addresses all the needs of your business units specifically. If you can’t do this yourself, there are a ton of great consulting companies that can write the baseline policy for you. One thing to keep in mind about paper-based policies is that you have to make it simple to understand, easy to access and easy to remember. As opposed to using language like ‘do not do this’, explain the risks involved if something were to happen, like copying confidential documents to personal email for example. Make sure the policy is accessible to any device via a browser. You could also develop a custom app that can automatically be installed on mobile devices (via your MDM) to explain all the risks. Finally, release policy updates regularly. Don’t wait for folks to acknowledge updates once a year. Highlight the changes and why they were changed. The key thing about your IT/mobile policy is that you want to make sure it’s always current and in your end user’s minds at all times without being too restrictive.

3. The Lock Down

Writing a policy and getting it out to your users is only one issue to get past. You still have to setup guardrails to guide your end users just in case they go down the wrong path. This involves using MDM and network access control (NAC) technologies to simplify managing your mobile devices and ensuring corporate data isn’t compromised. This is an area where you will have to spend a lot of time with end users understanding how they plan to use their devices, what apps are important to them, how it needs to be integrated and the functionality they are looking for. You don’t want to be too restrictive because you don’t want users to get frustrated and find a way around your implementation strategy; because we all know that can happen very easily these days. It is very possible that you will have to define multiple policies within MDM for each business unit to ensure they get the functionality they need. Look into MDM tools that offer containerization as well, this will ensure your mobile apps operate in a secure zone on mobile devices.

4. The Costs

Work closely with business units to understand what cost models they would like to see implemented. In organizations where end users want to upgrade devices frequently, a stipend model may be the best case scenario, even though it could mean additional taxable income for employees in some states. Other key factors:

  1. Cost of the device itself
  2. How upgrades and lost/stolen devices are replaced
  3. Voice/Data plans
  4. Overages in usage

While most organizations don’t pay for mobile device accessories, offering volume discounts through preferred vendors or through a custom ordering portal can ease the ordering process for end users. In many cases, opting to pay for a volume voice/data plan is the most economical option because the entire organization uses a pool of services, as opposed to individual plans.

5. The Support

Who do users call when they have problems, or have lost a phone? Many organizations have moved the support function completely to a third-party provider, especially if they have implemented MDM technologies that help with configuration and hardening of corporate data on these devices. This makes a lot of sense, but a line has to be drawn as to what support is offered and whose responsibility it is when something breaks down. For example, would a user go to help desk when their iPhone dies, or would they go straight to an Apple Store to get their phone replaced? Would a user call your third-party phone provider when their web conferencing app doesn’t work? The way each of these issues is supported will vary, so understanding the costs of supporting these internally versus externally must be considered and properly communicated to end users to ensure a rich user experience. While the above may sound complicated, once you implement your baseline it gets easier to manage and evolve over time. Like most technologies, you need a solid framework and platform to build from, and the five things mentioned above will help establish that framework. For more information, please read the following:

CDW: Eight Steps to an Effective Mobile Device Policy

CDW: Mastering Mobility in a BYOD World

Gartner: 7 Failures in Mobile Device Security

Gartner: BYOD Mobile Device Policy Toolkit

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>