Mobile Security: An IT Security Manager’s COPE-ing with BYOD

Most mobile users have made mobiles part of their life needs. Now, the mobile phone is the call and message device.  It is your lifeline.  It is your entertainment, games console, location finder, alarm clock, GPS device, health monitoring device, scheduler, and email device – add the other applications, mobile is your next best thing.  Smarter the phone gets, and more dependent on it you become.  More dependent you become, more inevitable it becomes as part of your life.  But here, is the key alert – most users would like to keep it simple inspite of the phone becoming the lifeline.

Let us look at a scenario of how a typical user of a mobile deals with mobile security instructions – He or she has to install a mobile anti-virus software, protect thephone with passwords (which have to be complex capital-case and alpha-numerical, cannot be repeated or the last five). The passwords cannot be written and kept.  The user should remember the IMEI number and lock phone.   Configure the phone in such a way that it initiates a self-destruct sequence in case of wrong password. Well, there are so many instructions on how to protect the mobile phone.  And it contains all of a user’s critical personal data – contacts, passwords, birth days.

So what about securing it?   What if one does not remember that complex alpha numeric password?  What if he or she is locked out?  This concern against, what happens when the mobile is lost?  What is key is to understand in BYOD is that most devices are used by non-tech savvy people. This user would want to keep it easy, rather than worry about remembering that complex alpha numeric password.

Well, dear IT Security Manager, now imagine an enterprise application on that phone – with a person having very little attitude towards getting a simple password or a screen lock done.  This might churn ones. Well, then ask the person to have two phones.  You don’t care about the personal data, but that phone that runs your enterprise application console needs to be secured.   So where does this take BYOD?  Would then giving a pre-configured phone compliant to the enterprise security policy be better?  Company used, personally enabled (COPE) devices are the alternative.  Well, most attacks happen based on a vulnerability – and human error – not updating a patch on the mobile phone or the virus software being outdated.

While the Mobile Device Management is the best option to cross over to BYOD – employees can still use an alternate or a second device to access the application.   That is the moral dilemma here.  User discretion can be user vulnerability.   And when it comes to my phone, I want it as an emergency device as well – so I don’t want to be typing my password all the time’ – some may say.

This is the first in a four part series of BYOD’s – which according to TechTarget, a fast growth factor in enterprise security architecture.  We shall look at various issues of COPE vs BYOD in the next article.