Abstract
Companies and different entities are faced with the challenges of developing effective mobile policies which enhance the productivity of users and protects corporate assets. Strong management of mobile policies helps in setting proper guidelines which mobile users can apply within a corporate set up. Organizations need to communicate, implement and sustain efficient policy requirements. Companies must come up with policies that address security, acquisition and usage of various mobile devices. Therefore, IT departments in different organizations must create and set up mobile policies which are cast and custom-built for the needs and processes of the organization. This paper explores the major issues faced when employees use their personal phones and other devices in the workplace. It also proposes different possible solutions to the emerging problems using well-formulated corporate mobile policies.
Introduction
Mobile devices have become highly affordable and accessible to the general public due to a fall in their prices. Currently, people can easily purchase laptops, smart-phones and tablets at lower prices than in the past. Prices of personal phones have significantly dropped due to a decrease in costs of components utilized in building computer devices. Most of the corporation employees and managers prefer to buy and use their laptops, tablets or smart-phones to carry out their duties in the workplace. As a result, various organizations have adopted new phenomenon famously known as “Bring Your Own Device” (BYOD). Some companies purchase such devices on behalf of workers for personal and work-related use. Departments of Information Technology play a significant role in creating mobile policies which fit the organization. Information Technology units use computer applications for data transmission and storage.
Employees need to be connected through computer terminals to use information systems within the company. Nevertheless, the concept of BYOD has brought about a more efficient and flexible interface to corporate IT systems. Top-level management and employees find it convenient to use a single tablet or smart-phone to serve both their personal interest and work-related functions. In fact, it is tedious and ineffective to own and use two devices separately for both private purposes and work. Therefore, employees are allowed to bring in their personal phones and other devices. The workers further demand access to company resources using their devices. Proponents of BYOD policy believe that employee morale and productivity are enhanced when they are permitted to use their mobile phones in the corporate environment. Besides, such initiative helps in reducing the cost of capital expenditure and the additional costs associated with the support of IT functions. However, the security risks that come with the premature adoption of BYOD policy within an organization need to be addressed with the aim of protecting company assets. Professionals who handle security risks have come up with several recommendations which include efficient corporate mobile policies and implementation of management systems for mobile devices.
Issues Surrounding Security, Acquisition and Use of Mobile Phones at the Work Place
Eslahi et al. (2014) believe that security can only be maintained in the corporate environment if the risks associated with the concept of BYOD are fully addressed. The first risk is related to the loss of data from mobile devices. Data can be lost in several ways with extreme damages to the organization’s image. Mobile devices are prone to theft, and non-encrypted data saved on the phones can be accessed with ease. Company’s trust and reputation may be damaged if the information contained in the mobile phones exposes privacy and customer data. Furthermore, the corporation’s competitive edge can be compromised by the exposure of trade and intellectual secrets. A company may incur extra costs that arise from consultation fees, legal fees and lost business. The other risk is that malware in mobile devices may infect corporate systems (Lyne 2012). Most of the mobile devices purchased off the shelf do not have anti-malware which is internally installed. Malware is malicious software which may consist of viruses including Key loggers and Trojan horses which have the capacity of crashing computers, deleting sensitive information and capturing user passwords. Malware affects and damages organizations when they interrupt different business processes, provide access to hackers or steal vital company information.
The third risk related to BYOD is that of intrusion attack. While there are no intrusion attacks that have so far been perpetrated via mobile phones, security experts believe that hackers will soon compromise the functionality of a mobile device. Ghosh, Gajar & Rai (2013) reiterates that the hackers have the ability to use mobile phones as a launching pad into the company environment. IT departments also lack adequate insight as to what goes on in the company networks that they continuously manage. IT professionals within various organizations have failed to manage the mobile devices that access the stored and transmitted information. It, therefore, implies that IT departments lack sufficient visibility into the mobile device operations. Management and safety of the mobile devices is a significant challenge to the IT professionals because they do not have reports and log files of specific devices being used in the company (Eslahi et al., 2014). Mobile devices are also prone to phishing attacks. In this case, owners of mobile devices are lured to provide confidential information willingly. It is considered an illegal means of getting close and personal information from a mobile device by duping the user. Phishing attackers target different kinds of information such as credentials of an individual’s social network, passwords used for online transactions and details of bank accounts. Mobile attacks also include network spoofing which occurs when a mischievous person tries to gain access to controlled information through false pretense. Network spoofing attackers often create a network of WI-FI by setting up bogus access points.
Armando, Costa, Merlo & Verderame (2012) asserts that several issues and challenges are facing the management of a BYOD set up that need to be addressed. Acquisition of devices, as well as the environment in which they are to operate, is a big challenge in any organization. Ghosh, Gajar & Rai (2013) holds that security threats associated with BYOD concept are a replica of issues that arose with the emergence and popularity of laptops. However, the security risks are higher with the use of tablets than laptops because of their smaller size. The other concern is that companies cannot efficiently execute its security policies on BYOD because they do not own them. Data that is transmitted and stored in the devices that are not under the control of the corporation can easily be lost or manipulated thus posing a security threat (Lyne 2012). The issue of privacy is a significant concern to the mobile users because the devices contain personal and private information which must be preserved. Corporation’s data may be mixed up with personal data, especially when the device is not partitioned to distinguish the two sets of data.
Perakovic et al. (2012) note that several potential attackers currently target mobile devices due to the nature of operating systems and other financial or political reasons. Users of mobile devices lack awareness and exposure to safety measures which require the installation of security software. The installed software can help in identifying threats which affect mobile devices and surrounding systems. Companies lack proper sanitization processes for mobile devices, although laptops and computers may have appropriate disposal procedures. Involuntary leakage of information also affects mobile devices. Majority of mobile users are not conversant with the capacity and functionality of the applications they install in their phones (Armando et al., 2012). Users seldom review the permissions granted by different applications during their installation, and their primary interest is to see the application working on their mobile devices. Some mobile applications gather and circulate information on the location of an individual as well as personal data, which is later used in the social networks. Several users are not aware that some of the applications may be designed with privacy settings which restrict access to some information. It thus means that the applications can collect confidential information or data and unintentionally publish them online without the consent of the users (Lyne, 2012). Smartphones can also be utilized in keeping an individual under surveillance using applications such as GPS and accelerometers. The unfamiliar software can remotely activate the sensor applications without the knowledge of the mobile device owner.
Corporate Mobile Policies that can be used to address issues of Security, Acquisition and Use of Mobile Phones
Companies require efficient mobile policies and procedures to safely and successfully manage the use of mobile devices within a corporation set up. Organization’s top-level management must endorse the policies before they are implemented (Sabnis, Verbruggen, Hickey & McBride, 2012). Corporations should start by enhancing the satisfaction and experience of the end user. The process of certifying the devices should be efficient and timely to allow for quick access to the advanced technology which keeps on changing at an astonishing pace. IT departments are therefore required to do away with their outdated, inflexible posture and adopt more responsive and swift technological improvements. Mobile devices which are allowed into the organization should have suitable documented guidelines. Criteria for evaluation and the mode of information to employees regarding available devices on the company network should also be established (Eslahi et al., 2014). IT department must also come up with clear and precise communication on the configuration of the mobile devices and their management by the company and end users.
Companies also need to develop and apply a tightly synchronized collection of policy and technical-based solutions across various vital areas. The critical areas include control of access to certain devices, the ability of users to remove data from their mobile devices remotely and appropriate configuration of the mobile devices (Absalom, 2012). IT departments must also establish proper processes for updating and patching the device. It is essential for corporations to develop methods that can be used to identify and validate mobile device users. Accessibility to the network requires stringent control to help in detecting and preventing unrecognized and unsanctioned devices from getting connected to the corporate network. Mobile devices should be partitioned to distinguish stored corporate data from personal data. According to Armando et al. (2012), mobile devices require strict security controls and appropriate approaches used to monitor activities that take place on such devices.
Legal liabilities and business risks can be reduced through the development of user agreements and training of employees. Workers have to be informed about security threats, the acceptable policies on the use of mobile phones, personal responsibilities and conditions for network connection. Companies need to come up with appropriate procedures for notification of the users who are non-compliant and develop adequate steps required for compliance (Armando et al., 2012). Processes of developing applications should be made simple following best practices recommended for software development. The applications need to be developed in a way that they can function across different mobile platforms. Every company should develop a store for the mobile application which can be trusted by employees for download of the latest applications (Ghosh, Gajar & Rai, 2013). Support for mobile devices has to be reduced when a company implements a BYOD program. Achievement of this objective can be realized when a centralized system of device management is implemented together with viable configuration settings. Corporations can further register mobile devices with the management application that is centrally located to help in monitoring each device (Sabnis et al., 2012). Established mobile policies should be signed by employees to show their commitment toward such initiatives. As a result, the company and the employees strike an agreement to cooperate as far as policies guiding the use of mobile phones in the company are concerned. While employees are allowed to use mobile devices at their discretion, they have to monitor the use of these devices closely and acknowledge their duties regarding the protection of corporate data.
Organizations should implement new policies on BYOD with the aim of supporting technical know-how on systems of mobile enterprise (Copeland & Crespi, 2012). The policies need to focus on the employees who interact with different people using their mobile devices. Introduction of BYOD into an organization comes with new challenges to the creation of effective policies that allow employees to bring and use their devices within the organization. For instance, the solution to the management of mobile devices will possibly involve a certain level of monitoring different activities. In some cases, the solution to the management of personal device may entail accessibility to internal data (Absalom, 2012). Consequently, such activities could be a threat to an organization’s privacy and subsequently lead to legal repacations. For example, a business may be situated in the European Union (EU) and operates across various EU nations with workers using their phones and other devices both internally and externally to connect to cloud services and the internal network. Organizations have to conform to the rules and regulations of ISO 27001 on the privacy of data and protection of corporate data. All organizations set up within the EU nations must, therefore, comply with various sets of rules adopted by every EU nation.
Enterprises explore a wide range of BYOD policies with the aim of encompassing the application and architecture of the systems of mobile enterprise (Burt, 2011). When employees sign suitable mobile user agreements as part of policy requirements, their devices can be fitted with remote wipe and user authentication software. Organizations can use this broad strategy to enhance security of the internal data. Installation of such soft wares can also help in maintaining a given extent of control over the internal data. According to Dillon, Stahl & Vossen (2015), companies can use another mobile policy in place of BYOD known as Corporate Owned Personally Enabled (COPE) policy. Under this policy, employers issue employees with mobile devices instead of allowing them to use their personal devices. Every private and corporate space set up within the device would be accessed using access codes which are designed for individual use. Use of COPE policy would enhance the high level of control on the devices by organizations. Implementation of COPE policy would, however, incorporate extra costs incurred in the procurement of the devices and establishment of data plans for the mobile devices (Sabnis et al., 2012). The other risk linked to this strategy is that devices issued by companies have not gained popularity among employees and they may resort to using their devices.
BYOD policy could alternatively entail measures like the restriction of access to internal data in mobile devices as soon as the employees leave the premises of the company. Companies could issue employees with a SIM which they are mandated to use entirely for purposes of work. The employees are then required to return the SIM when they leave the company after work (Dillon, Stahl & Vossen, 2015). Employees are in a position of using their devices because they are encouraged by the BYOD policy. However, it is a challenge for organizations to support different mobile devices which run various operating system (OS) platforms because of high management cost. IT department is also financially constrained because different mobile devices and OS require technical support. Besides these policies, organizations can implement other policies with the objective of providing a variety of choices to the users. Such policies include Choose Your Own Device (CYOD) and Here Is Your Own Device (HYOD). There are several similarities between COPE policy and HYOD policy including a limited rate of adoption by the users and advantages of central organizational control (Ghosh, Gajar & Rai, 2013). Mobile policy based on CYOD is unique because it provides employees with the option of selecting approved devices from a company’s list. Employees’ chances of finding their preferred devices are enhanced when they are provided with a variety of options to make a choice (Burt, 2011). Such a policy would encourage user adoption and limit the number of devices that require the support of IT thus making it more affordable than BYOD.
An alternative corporate mobile policy that would be appealing to any organization is a context-based session policy (Copeland & Crespi, 2012). The policy entails setting specific levels of security, allotting limits for funding and exceptional techniques of routing which can be defined through a collection of context information and data. Context data is gathered from various sources internally or externally with the aim of showing the behavior of devices. Nonetheless, organizations must be very cautious when it comes to the selection of the right external and internal data to be gathered to avoid any form of conflict with employees’ rights.
Conclusion
BYOD has gained popularity in various organizations over the past years. Mobile technological innovations in the consumer arena have resulted in a change in the behavior of users. Employees have been significantly influenced to use their mobile phones and other personal devices for purposes of work due to the increased level of IT Consumerization. The concept of BYOD benefits different companies even though people have raised issues over security threats, acquisition and use of mobile devices. The examples provided in this paper indicate that the implementation of BYOD policy is still a challenge for various organizations. Companies are interested in internal data protection and privacy is threatened when employees are allowed to use their mobile devices for work. Implementation of BYOD requires most viable solutions which entail a combination of workable policy, security features and technology into a comprehensive framework. Organizations need to strike a balance between security, policy and technology. Protection of data and compliance can be realized when strengths from the three aspects of BYOD policy are fully adopted. Organizations embrace corporate mobile policies which strike a balance between their needs and employee rights. The technology used by companies should also support the policy. Enterprise systems should be used in the future to harness required information from the socio, cyber and physical space to enhance intelligence in the identification of different users. Such systems should also provide appropriate access to information that belongs to an organization. Moreover, the system should be used to detect and respond to internal and external organizational threats.
References
Lyne, J. (2012). Eight trends that are changing network security. A Sophos article, 04.12 v1. dNA, 2.
Sabnis, S., Verbruggen, M., Hickey, J., & McBride, A. J. (2012). Intrinsically secure next-generation networks. Bell Labs Technical Journal, 17(3), 17-36.
Armando, A., Costa, G., Merlo, A., & Verderame, L. (2012). Securing the” Bring Your Own Device” Policy. J. Internet Serv. Inf. Secur., 2(3/4), 3-17.
Absalom, R. (2012). International data privacy legislation review: A guide for BYOD policies. Ovum Consulting, IT006, 234, 3-5.
Eslahi, M., Naseri, M. V., Hashim, H., Tahir, N. M., & Saad, E. H. M. (2014, April). BYOD: Current state and security challenges. In Computer Applications and Industrial Electronics (ISCAIE), 2014 IEEE Symposium on (pp. 189-192). IEEE.
Burt, J. (2011). BYOD trend pressures corporate networks. e-week, 28(14), 30-31.
Dillon, S., Stahl, F., & Vossen, G. (2015). BYOD and Governance of the Personal Cloud. International Journal of Cloud Applications and Computing (IJCAC), 5(2), 23-35.
Ghosh, A., Gajar, P. K., & Rai, S. (2013). Bring your own device (BYOD): Security risks and mitigating strategies. Journal of Global Research in Computer Science, 4(4), 62-70.
Peraković, D., Husnjak, S., & Remenar, V. (2012, January). Research of security threats in the use of modern terminal devices. In 23rd International DAAAM Symposium Intelligent Manufacturing & Automation: Focus on Sustainability.
Copeland, R., & Crespi, N. (2012, October). Analyzing consumerization-Should enterprise business context determines session policy?. In Intelligence in Next Generation Networks (ICIN), 2012 16th International Conference on (pp. 187-193). IEEE.
write