In early 2011, the enterprise was finally embracing the mobile workforce. Then, the death of BlackBerry and the rise of iOS and Android in the corporate world brought panic to IT departments everywhere. It was World War BYOD, without Brad Pitt to save the storyline. I realized that most of the attention in the space was focused on securing the new types of devices through emerging MDM (Mobile Device Management) technologies. The market was missing the point.
Users didn’t want iPhones and Androids because the devices were edgy; users wanted these devices because of the apps they can run on these devices. In the new, increasingly mobile Information Security world, the real problem was app security. Mobile Device Management tools allow IT to block apps, but how could IT build mobile policy if they didn’t know how apps behave?
Appthority owes part of its success to big companies who are taking the BYOD plunge, but recognize the need for app risk management and policy. It’s easy to see why the enterprise wants a solution like ours. The concept of BYOD has gained plenty of traction as the savings involved in allowing employees to utilize their own devices for work is staggering. When your budding startup uses BYOD as the mode du jour, however, are you opening the door to a world of risk? What some companies gain in convenience and cash can be lost through poor security management and lack of policy. What do startups need to keep in mind when your startup is BYOD-friendly?
Obviously, the most discussed and visible challenge in developing BYOD policy is security. When employees bring their mobile devices to work and home, there is an inherent risk that the device can link to dangerous networks, be used for phishing and hacking, or allow risky app behaviors that remove sensitive corporate data from the device. In the past, there has been no way to regulate the level of information an employee can keep on his or her device, meaning that all your startup’s data, the data you’ve poured your heart, soul, and IQ into, is compromised.
Consider installing an MDM such as AirWatch or MobileIron, and compliment the MDM with an App Risk Management solution to amplify control within mobile devices and tablets. You might be saying, “this doesn’t sound very ‘startup-y.’” Your employees left big companies to feel less ‘managed,’ to escape Big Brother, have ping pong tables, beer carts, an open floor plan, and flexible hours. They will still have these provisions, but if you don’t ensure the security of their devices, you’ll be watching those ping pong tables get wheeled away, MC Hammer style, when your company fails due to security leaks. With MDMs, you get the best of both worlds—employees get the freedom of using their familiar device, while your startup retains its trade secrets and IP.
Standardizing (is not necessary)
Enforcing a standard, make, model and year of a device goes against BYOD. Companies have tried to incentivize employees to change their mobile devices by offering to subsidize the devices to reach a more reasonable point of purchase, or to deploy the devices when needed. Companies have also encouraged employees to buy their own devices, while the company pays for cell and data service until upgrade or termination. This method isn’t fully baked. True, some mobile devices are safer than others. This holds true for apps, as well. It’s crucial to understand that while you cannot always demand your employees change their devices and apps, you can empower IT to maximize the productivity gains of the BYOD movement by mitigating risk.
You can have the most trustworthy, well-intentioned employees in the startup world—but their apps? Their apps are most likely behaving like the Jersey Shore cast in Cancun.
Employees, as users, have learned to be smart with their desktops and laptops at home and at work—they don’t download attachments from unknown senders and they don’t click on sketchy links. However, with smartphones, people forget that these are pocket-sized computers. The first impulse is to open any link, download any app and grant all permissions. Employees need to realize the risks to personal and corporate data which lives on our devices. By working together, your startup helps protect both the individual’s and the company’s sensitive information.
App Policy Management
Whether you’re Google or a budding startup, your IT needs a tool to provide a quick inventory of the apps and their risky behaviors present on employee devices. MDMs provide the mechanism, while mobile App Risk Management provides the brains to determine and manage enforcement actions. When the two are integrated, IT gains control over the app risk problem—without the cost and complexity of the manual approach. IT will be happy. Employees will be happy (they don’t have to worry about being liable for losing company data, or their children buying expensive virtual goldfish on the company device) and your startup will continue on its way to becoming the next Google—if that’s what you were going for.
# # #
Domingo Guerra is co-founder and president of Appthority. Appthority was born with the mission to become the authority in app security and has developed into one of the fastest-growing companies in the security space. In February, 2012, Domingo and Appthority exited stealth mode with the public launch of the Appthority Platform at the RSA Conference in San Francisco, where the company was named ‘The Most Innovative Company of RSA Conference 2012.’