MSPs Must Shift Security Focus from Devices to Content
Americans are increasingly taking work home with them, which along with increasing productivity also increases security risks. A new survey on work-at-home habits of US workers from mobile security provider Good Technology offers insight into just how prevalent employee access of corporate systems from unsecured personal devices is becoming, and why it requires a change in focus from MSPs who offer security services.
According to the survey, the days of employees working “9 to 5” at the office and going home to forget about everything till the next morning are long gone. More than 80 percent of employed US adults continue working when they have left the office. Almost seven in 10 (68 percent) adults check their work emails before 8 AM, 40 percent check work email after 10 PM, 57 percent routinely check work emails on family outings, and 38 percent routinely check work email at the dinner table.
Managers may be thrilled to hear about all this extra productivity while spouses and children may be concerned about the impact on the already tenuous work-life balance, but neither one of these factors is really the concern of managed security services providers. What these MSPs need to be concerned about is the considerable security strain these habits place upon their clients’ corporate systems.
Ensuring Security in a BYOD World
Employees are now routinely logging into corporate email accounts and reading content and quite possibly downloading documents that may be sensitive in nature. They are doing so on personal mobile devices and PCs that likely have security mechanisms which to be charitable are less than professional quality. In addition, particularly when using a mobile device in a remote location like a coffee shop or even a playground, employees are probably using networks that offer little to no security precautions.
And all of these factors are 100 percent out of the control of an MSP. Assuming a client sees enough value in extra productivity to allow this type of remote access to corporate systems to continue, how can an MSP provide adequate security? As recommended by Good Technology, MSPs must shift away from securing devices or even networks, which is no longer realistic in a BYOD world, and instead focus on securing apps and data.
More specifically, this means MSPs must concentrate their efforts on encrypting data and developing apps that allow employees to securely view corporate information without actually storing it on their own devices. Email apps must provide extra security for employee logins. Depending on client needs, MSPs may also want to prohibit employees from downloading documents while providing remote “read only” access, or build in extra document security features if employees are allowed to download them onto personal devices.
Technology is increasingly blurring the lines between “work” and “home,” and as is usually the case, creating issues at a pace faster than people can keep up with. MSPs need to focus squarely on how they can effectively secure corporate data and systems on employee devices, and let the sociologists figure out the rest.
Dan:
I could not agree more with you observations. I think the trick is how to add additional security without impacting the productivity provided by the BYOD movement. If the solution is too cumbersome or limits what the user can do with the information, then it will be difficult for it to get traction.
Mitchell Cipriano
http://www.demandbydesign.com
Excellent article.
We shall expect to see an increased pressure on Corporate IT and security. On one hand, employees will continue to demand access to corporate email and other applications and data from personal mobile devices (btw, BYOD is somewhat a misnomer here because even if the device is owned by the organization, the employee still feels its a personal device for all practical matters).
On the other hand, security concerns are only increasing with more types of exposures (not only lost/stolen devices and hackers, but also shared devices in cars, public places, etc.), and the regulators are going to realize that these devices represent a huge hole and will enforce regulations there too.
So IT will find itself between the rock and the hard place, and will have to provide solutions in an unknown territory.
At LetMobile, we believe that to succeed a solution will have to provide IT with the security, manageability and compliance it must provide. But at the same time, to be adopted by employees (rather than circumvented), the solution will have to leave the user in control of their device (hence MDM wont work in that regard), and will have to leave them with the same and uninterrupted user experience they learn to expect from their devices. The latter is a major flaw in secured container solutions and any other solution that use different email apps or that separates the work and corporate environments in a way that makes it more difficult to collaborate.
So one must let the organization protect the data but without altering the user experience.
Dr. Ron Rymon
co-Founder and Chairman
LetMobile – Protecting Corporate Data on Personal Devices
Mitchell, Ron: Thanks for those additional insights. Dan has been raising some great points on MSPmentor in recent months, and I enjoy reading his thoughts each time he checks in with new content.
Device-level security will never go away. But as the old saying goes… what’s more valuable: Your laptop/tablet/smartphone… or the data on it?
Surely, the data is what truly needs protecting…
-jp
Would you consider this more UYOD than BYOD? You are talking about access from “out-of-the-office” which is use your own device (UYOD) in that context. BYOD is focused on providing secure access to the network for devices that are brought to the office. I feel that BYOD is improperly applied here. The issue of application and data security is important and should be addressed, but that hasn’t changed since the 1990s, when laptops first became popular and users could take data home with them. BYOD ties in from the perspective of providing access to the network for personal devices and then determining what data they should or should not be able to access based on being a trusted or untrusted device. Just some “devil’s advocate” input 🙂
Tom, I’m not sure if there’s a real line between UYOD and BYOD… Not sure. But certainly interested in your continued thoughts.
-jp