Mobility Management Strategy: Why IT Matters
How many devices have access to your company network and data? Be sure to include not just the computers plugged in at the office, but also the laptops, smartphones, smartwatches and anything else that’s been signed in to your WiFi or has access to company email — even those that can remote-access from home. If you’re unsure of that number or what those devices might be, your data might already be at risk.
Theft, data corruption and breaches don’t just occur at massive companies — anything or anyone can be a target. Contractors can no longer ignore data security and need to establish a mobility management strategy — a system of procedures and policies to regulate who, where and how their company data can be accessed — to protect their businesses.
Assessing the Threat
According to JBKnowledge’s 2018 Construction Technology Report, over one-third of contractors don’t secure employees’ personal devices used for work, while another third claim to not allow employees to use their personal devices at all. Regardless of whether or not contractors have an official BYOD (“bring your own device”) policy where workers use their personal devices for work-related matters, mobile devices continuously flow throughout workplaces and their networks. And if those devices are allowed to access any sources that even indirectly touch company data, they could present risks to that data.
For businesses, these unsecured devices can become points of vulnerability for the entire company network, opening up possibilities for data theft or corruption. It may seem obvious that a lost or stolen device with saved credentials — like autofilling a username and password — can provide an all-access gateway into company information, but any device can also compromise company data by connecting to an unsecured public Wi-Fi network, clicking on an email scam or receiving malware directly through a text message. In those cases, anything that employee had access to is now open to anyone else, and worse yet, sophisticated attacks can also use “lateral movement” to snake through your enterprise systems to gain even higher levels of access — eventually getting the executive-level keys to the castle.
And while you may think that you don’t have information valuable enough for someone to steal, it doesn’t always have to be social security or credit card numbers they target. If any information is valuable to you or your company, someone can try to make you pay to get it back. Even if no personal information is stolen, an attacker could threaten to corrupt or destroy all of your payroll data unless you pay their ransom.
With the extent of mobile devices throughout a workspace being so difficult to control, simply stating that personal devices can’t be used at work isn’t extensive enough as a security strategy. Contractors need to take proactive measures to secure their sensitive data by incorporating layers of mobility management.
Mobile Device Management
MDM, or mobile device management, aims to secure the individual tablet, smartphone, laptop, etc. being used to access anything work-related. Through the use of device encryption, PIN access, and remote wiping of the device in the event of loss or theft, MDM provides companies with a system for controlling each device an employee uses for conducting business.
While MDM is a great step in securing business data, there are some limitations. With cloud-based storage and access, employees can now reach company information from any device at any time. With only an MDM strategy in place, a company must account for each of these devices and ensure proper security guidelines are being followed by each employee and on every device that is used for any business-related activity. Even just a “real quick check” of work email from a personal laptop that hasn’t been properly secured can expose the company to risks.
Additionally, there is a risk of crossover between company and personal information on employee devices. Without isolation between company and personal data, employees could lose both if a device is mistakenly reported missing and subsequently wiped. Legal ownership of company information could also come into question if it’s stored on an employee’s personal device.
Mobile Application Management
As a result of the changing mobility and remote-connectivity of users, MAM, or mobile application management, strategies emerged. Rather than securing each individual device like MDM, MAM applies additional security to individual applications. For example, while an employee might use one email app for personal use, the employer may allow them to access work emails only through a specific app that they can encrypt and control at an enterprise level.
With MAM, companies can maintain control over their enterprise apps on an employee’s device without intruding upon personal information. This is called “containerization.” Much like plastic storage containers in your fridge that might contain different meals for the week, containerization works to separate and isolate company data from personal data on an employee’s device, preventing any interaction between the two. With containerization, employees can maintain privacy with non-enterprise applications since companies can’t access the employee’s personal container while companies can still monitor and encrypt any activity occurring on enterprise apps within their company container.
Through MAM, companies can designate which applications have access to company data and remotely wipe information from enterprise apps, leaving the user’s personal data untouched. Companies can also blacklist untrusted apps from cross-communicating with their enterprise apps, providing more regulation over who or what has access to company data while allowing employees to maintain ownership over their devices and personal information.
EMM for Contractors
Unfortunately, neither MDM nor MAM is comprehensive enough to offer a full security solution. That’s why many IT experts recommend a multi-level EMM, or enterprise mobility management, approach that aligns devices, applications and policies toward the singular goal of information security.
Under a typical EMM strategy, a company would use aspects of MDM and MAM together, along with user-based policies, to supplement the limitations of each. For example, the company may require employees to register their devices with IT before allowing them to access company information (MDM). It may also prevent employees from transferring documents from an enterprise app to a non-enterprise app (MAM). In addition, the company might use specific EMM software to expedite the process of isolating and protecting company data on employee-owned devices. However, since IT and EMM software may not be able to manage every possible point of vulnerability, many EMM strategies rely just as heavily on establishing policies to minimize exposure to risk.
EMM Policies. By setting policies for devices with access to company information, contractors can begin to create a working EMM solution. Policies that a contractor might incorporate include:
- Registering each device that has access to company information, including a record of the make, model and software version
- Knowing which devices are supported and how, as well as how they’re issued and managed
- Establishing roles, or security profiles, and responsibilities for oversight
- Creating access tiers for different users, devices and environments
- Educating employees about responsible device use as well as how to identify and report suspicious emails, text messages, websites and applications
- Setting clear expectations about device use and when, where and how employees should access enterprise resources
- Developing procedures for reporting and responding to lost or stolen devices that had access to enterprise data — whether employee-owned or company-owned
- Sticking to a life cycle management (LCM) plan to keep devices up-to-date
- Maintaining compliance for any federal, state or local statutes that mandate data protection measures and notification requirements in the event of a breach
EMM Strategy. EMM policies need to be structured alongside a larger enterprise mobility strategy. This strategy should not only outline your current needs and risks but also account for potential changes to technology usage and company growth.
While your strategy can evolve and change over time, it should still be an official company document that’s reviewed and revised at a minimum of every year and after any significant business changes. By setting a strategy in writing and amending it regularly, you can keep up to date on changing vulnerabilities for your data and adjust your policies and strategy as needed.
While the construction industry has historically been slower to implement changing technology, the presence of new technology all around it means contractors must respond to safeguard themselves. Even if BYOD isn’t a thing for your company, the influx of mobile devices that make their way into your workplaces and jobsites won’t stop, and without security measures in place, unsecured devices present new opportunities for theft or corruption of your data.
It’s easy to be lulled into a false sense of security and think that a data breach can’t happen to you, but inaction isn’t a proper way to safeguard your business. Like purchasing insurance, setting an IT strategy in motion to protect your data might not seem like something you desperately need — until you do. By implementing procedures and strategies to face these potential threats head-on, you can bolster your digital defenses, keeping your data only in the hands of those that should have it.