Dangerous devices

LinkedIn +

For many companies, there are financial benefits in encouraging the use of personal mobile phones and tablet devices at work, but there are also risks, says Malory Davies.

For many, having the latest mobile phone is not just a functional requirement – it’s a fashion statement, a status symbol and a toy all rolled into one.

And for an employer it can be a real game changer. Put together the right app, and you have harnessed all that very expensive technology to the needs of the business. And nowhere is that more useful than in logistics where so many employees do not work in an office but are out on the road or in some far flung corner of an industrial site.

Bring your own device (BYOD) is increasingly   part of the technology mix for logistics operations. Handled properly it can be a real benefit to a business, but there are plenty of traps for the unwary.

Have you got the systems in place to manage a network of BYOD devices? Is your data secure? And who pays the data charges? Get these basics wrong and it could prove expensive. JP Norman, head of technology and governance at Amicus ITS, points out that the BYOD phenomenon has crept up on a lot of companies, as people have by default started using their own personal mobile devices to manage everyday work tasks and many companies are on catch-up.

“The first step is to draft a mobile strategy proposal that defines implementation and on-going maintenance cost, which will help to show ROI,” says Sanjay Ejantkar, senior manager for product marketing at Epicor Software.

“This will also drive the second step which is to draft a policy, collaborating between the IT organisation and other stake holders. Make sure to define devices that will be permitted, how you will handle security, how and if you will handle replacement due to breakage or obsolescence, what applications are permitted on network and a clear exit strategy to wipe corporate data off these devices.”

And Chris England, director at Okta, highlights the importance of ensuring that employees are connected to the information they need — no matter where they work or what device they use. “For IT, this means switching from a device-centric approach, to a people-centric approach which connects users with the cloud services they need independent of device, time and place. In fact, we’re now seeing many companies adapting their enterprise architectures to make BYOD as simple and productive as possible.” 

Common mistake

Norman points out that an important consideration at this stage is to establish whether the apps that you intend to use are available across all operating systems (Android, IOS and Windows). “Don’t make the common mistake of assuming that there is an app for everything that works across every operating system.”

Once a framework is in place companies then need to address how they separate corporate and personal data on an employee’s device, says Norman.

“Part of the framework is the assessment of the suppliers of the Enterprise Mobile Management software (EMM), involving separating out the corporate mobile apps and the data associated with these into “containers” on the mobile device, creating a clear division as to what is subject to corporate security policies, such as wiping.

“If IT security managers want to place controls on the user device to separate out and manage corporate e-mail, applications and data, including whitelisting or blacklisting apps, it is possible to enforce security such as authentication, encryption, data leakage, cut-and-paste restrictions, and selective content wiping through various types of container technologies.”

Ejantkar says: “Corporate data should be encrypted and stored in an encrypted storage partition on the device. In addition, interactions with corporate data should be logged and controlled with a clear understanding among data security and governance staff of what data is being made available and where it is made available.”

It’s up to the organisation to decide whether they want to manage users’ personal data, and if so, how they’re going to do it, says England. “At Okta, we work with companies such as Gatwick Airport to tie applications to the corporate directory. So as an employee joins an organisation they are given access business apps and data, but when they leave access is taken away, leaving intact personal applications and data.”

Security can be a big issue. England points out that research by Okta found that only nine per cent of IT decision makers were confident that they had complete visibility of all the applications being used by employees.

“There’s also the risk of loss of confidential and sensitive data when an employee leaves the company. It’s not uncommon for companies to overlook the termination of users’ accounts from their personal devices after they have left the company – particularly in large organisations with a high employee turnover. Not only does this provide ex-employees with access to privileged information after they leave, but can lead to failure of the company’s information security audit,” he says.

Ejantkar argues that security problems can be obviated if an organisation has proven business software in place with built-in security measures and specific requirements for employees.

“Devices should only be allowed to connect when they provide sufficient levels of anti-virus and malware protection and as a result some businesses provide such software for staff members’ devices,” says Ejantkar. “Another concern for employers is that mobile devices are highly prone to loss, so controls that enable the remote wiping of corporate data should be in place, and any such data should be held in encrypted partitions.”

JP Norman highlights a number of other threats such as ‘data bleed’, jail-breaking, non-authorised access, mobile malware and spyware. “Most security issues can be managed by containerisation and EMM software. It is important to select a verified supplier of EMM software as there are many options to choose from with varying levels of functionality.”

However, he points out that the issue of BYOD security will not be solved by simply buying a piece of software. “An effective BYOD initiative requires the buy-in from the whole organisation from the staff using the devices, through IT, HR departments and the board.”

Effective management of a collection of BYOD devices is central to the success of the initiative. England argues that a cloud-based system can help solve the “anywhere, anytime, from any device” access challenge, while also providing automated user de-provisioning across all on-premise and all cloud based applications.

Ejantkar says: “”New technology and tools do exist to ease the management and security issues associated with BYOD, but many are adopting Desktop as a Service or DaaS, as a way to avoid them. This is not to be confused with Virtual Desktop Infrastructure (VDI) which has been out for a while. With virtual desktops and applications in the cloud, you get all the benefits of desktop virtualisation without the headaches. Even better, you can leave the hardware, software, and performance worries to the cloud provider.”


SECURITY: Risks of jail breaking

Jail breaking a mobile phone frees it from the limitations imposed on it by the phone’s supplier or the network provider. It allows the user to customise the look of the phone, install non-authorised software or use the phone with a different service provider. It also invalidates any warranties, and there is the potential to damage or disable the phone.

And there are risks to an employer’s network, says Ejantkar. “Jail breaking devices have been proven to cost a lot more in support overhead, data leakage and taxing networks due to unapproved applications or protocols accessing network resources.” Ejantkar. This should be addressed in every BYOD policy, he says.


COSTS: Who pays?

Once a company starts using employee’s personal phones for business, there is the question of who pays the data charges?

Sanjay Ejantkar says: “The best way to do this is for employees to complete an expense claim form for their home internet usage as well as smartphone costs associated with business usage. The employee should obtain their device by taking out a contract with one of the cellular providers, paying for it on a monthly basis and then submitting the cost of monthly business usage as part of their expense claim.

“Some organisations opt to make a small contribution to the cost of the device while others opt not to. Every company will decide on their own strategy, if any, for the implement of BYOD based on their needs and the needs of their employees.”


PRACTICALITY: Are mobiles robust enough?

Mobile phones and tablets are built for normal consumer use and there are question-marks over their robustness.

Per Holmberg, CEO of JLT Mobile Computers which supplies rugged devices, argues that the prospect of using a consumer device in the industrialised domain would send shivers down any IT manager’s back.

“Even if the software were to be ported across, or an app developed to provide the same functionality, there simply isn’t the level of security required. In this case, security isn’t really in reference to sensitive data, but to the ability to ensure the device will function faultlessly.

“Down-time in the kind of applications where rugged PCs are deployed is simply unacceptable; the cost of lost productivity would outweigh any potential benefits in using a consumer device and for this reason the idea of BYOD is not applicable in the market for rugged PCs — at least at the high end, where we operate — and is unlikely to ever be entertained by our customers.”01

Share this story: