From BYOD to CYOD, and beyond...

BYOD Graphic

According to a recent survey from BT, 41 percent of organisations have suffered a mobile device security breach in the past year, with 34 percent admitting to not having any kind of mobile security policy in place.

With numbers like these, it’s obvious that mobility represents a significant security threat to organisations who must implement best practices and policies that will help reduce the risk of sensitive data being exposed.

In the infancy of corporate mobility, IT managers only had the company-issued devices to manage, and so security challenges were limited to the ease with which devices can be stolen and educating employees to the risks of being overheard or overlooked whilst using mobile devices.

With the rapid evolution of mobile devices, organisations began to feel the pressure from employees keen to use something other than a Nokia 6020. Many organisations considered or implemented a BYOD (Bring-Your-Own-Device) policy allowing employees to use their own computers, smartphones or other devices to access, process and share organisational data.

However, this introduces a number of new security challenges, not at least managing the diversity that an ever-expanding range of different devices and mobile platforms introduces. Other security headaches include the risks associated with mixing personal and organisational data on the same device.

Organisations have begun to move away from a BYOD policy in favour of a CYOD (Choose-Your-Own-Device) policy, where the organisation retains ownership of the SIM/contract and provides the employee with a choice of handsets. This allows for the retention of a certain level of control over the range of devices being used within the organisation, whilst allowing employees some choice between tested devices.

A CYOD policy allows the user to either choose their own device from a corporate-approved catalogue or attach their own device to corporate resources according to certain rules. Incorporating a CYOD policy means that the management of all aspects of security, costs, policy and process remains under the control of the organisation. Users can still have a single work/home device, but under a managed environment.

However they are provisioned, mobile devices continue to be used to share documents, information and data with both internal and external parties. When sensitive or personal data is leaked, it is the organisation that will get penalised, so they must implement strategies and technologies to ensure sensitive data isn’t accidentally shared.

One such strategy is to implement a data classification policy and solution, which will help all users understand the value of the data and make more informed choices about how it should be distributed.

An effective data classification solution allows for control over which messages can be synchronised to a mobile device, so that sensitive information isn’t stored on the device and personal and corporate data is segregated. Success in protecting data across multiple devices relies on a robust data classification system, which extends seamlessly from the corporate network to the mobile device.

Unfortunately, data loss is impossible to stop, whether it is data stored on the organisation’s network or is passed between mobile devices. More and more people use their own mobile devices to access and share corporate data, and with human error accounting for at least 50 percent of data breaches, organisations must have measures in place to help reduce the level of risk.

Martin Sugden is MD of Boldon James