Many challenges emerged as the business sector struggles to embrace the paradigm shift from company-owned devices and internal enterprise solutions to the cloud-based “bring your own device” — or BYOD — culture that values virtualization and mobility over control.
Shayne Higdon, new chief executive of Symplified Inc., a Boulder-based startup that develops mobile security tools such as single sign-on solutions, believes one best practice for companies is to have their IT departments address individual users instead of devices.
“Some of the more forward-thinking businesses are centralizing their access to data by focusing their attention on the individual,” Higdon said. “Who is this person, and what role does he have in the enterprise? That information then dictates the level and types of applications to which that individual needs access.”
Higdon also warned of the difference between using an app from a trusted vendor and venturing onto the Internet.
“Native applications are running locally within a tightly contained sandbox environment like Apple’s iOS platform or Google’s Android operating system,” Higdon said. “When you start accessing these applications through a browser, you have the same risks you would have in accessing them from a PC. Users need to understand those differences.”
Others working in application development say users’ choice of devices affects their risk. Ted Guggenheim, president and CEO of Rage Digital Inc., a local app designer, acknowledged that the fundamental makeup of different operating systems creates different liabilities.
“I think there is a difference between platforms,” Guggenheim said. “When a potential app goes through review at Apple, they’re looking for weak points where the data or other vulnerable information might be compromised. With an Android application, there are more specific vulnerabilities on that platform.”
While Apple’s “walled garden” approach provides more controlled vetting of its applications, some speculate that Google’s open platform fosters more creativity and development. Whichever device is used, local experts agree that utilizing known markets such as Apple’s App Store or Google Play is prudent.
“At this time, the majority of malware comes from third-party markets or file-sharing sites,” said Armando Orozco, senior threat research analyst at Broomfield-based Webroot Software Inc.
A wide range of business professionals also need sound advice. Brad Weber, president and CEO of Inspiring Applications Inc., which creates innovative mobile applications for businesses, said many of his customers need back-to-basics advice for mobile use.
“We see varying degrees of sophistication in terms of our clients’ ability to manage their own devices,” Weber said. “Smaller companies or individuals are often looking for security tips. Password management is a great place to start. Everyone should have to enter a code to unlock their device when it opens. When we’re dealing with sensitive data in business environments, we always want to encrypt data on the device. You can set your mobile to erase all data after 10 password attempts. Activating the ‘find my phone’ feature enables you to locate it if it’s lost or stolen, and to wipe the data from it remotely.”
Experts also advise users to back up regularly, turn off Bluetooth, Wi-Fi and GPS capability when not needed, and proactively follow policies for use of mobile devices.
“Enabling security features isn’t used nearly as often as it should be,” Weber said. “Taking those simple steps can really be helpful for protecting your data.”
One of the best ways users can protect themselves is simply to learn the features of their device. Several experts agreed that their weakest link is the human element.
“The biggest point of risk is the user,” Orozco said. “As we’ve become more reliant on smartphones, the amount of data stored on them can be taken for granted and easily compromised.”
Others invent their own solutions. Shawn Oshman, founder of IT consultancy iSupportu LLC, got creative when he lost his iPhone on an airplane and realized that even if someone found it and wanted to return it to him, they couldn’t because his security was enabled.
“The trick I use now is to take a photo of my business card and use that image as the lock screen on my phone,” Oshman said. “That way, the phone is still locked, but if someone wants to be honest, they can call or email me. It’s an easy way to have it both ways.”
No matter which sector a business may be in, it’s time to adapt to the new model, said Ned McClain, co-founder of Applied Trust Engineering Inc., an IT infrastructure consultancy based in downtown Boulder.
“With the pervasiveness of mobile devices, it’s simply unrealistic to believe a company can tell users what they can install on their devices,” McClain said. “A BYOD strategy ensures that personal devices are useable in a business setting without undue risk to the company or inconvenience to the user. With appropriate policies, training, and technical control, mobile technology is incredibly empowering.”