Data over device: Why encrypting data will help secure the mobile enterprise

People increasingly rely on mobile devices -- smartphones, tablets, laptops -- to deliver everyday functionality such as communications, banking, shopping, news access, and entertainment. And nowadays, the same people naturally expect the same level of user experience at work.

As a result, enterprises are facing questions such as whether they should provide company-owned devices or enable employees to bring their own devices, and how they should go about securing information on devices that no longer remain within the four walls of the office.

Jean-Marie Abi-Ghanem, a managing director leading Accenture's Asia Pacific Security Practice, told ZDNet that while enterprises are rightly concerned about staying in control with a mixture of company-owned devices and BYOD within the network, there's a greater risk if users are not given a choice, as they are then likely take shortcuts.

"You can always find a secure way to do things, but I think in this digital age you need more options to allow them to do more things, and to be more remote," he said.

CrowdStrike technology strategy vice-president Michael Sentonas agreed, saying there is a likely chance a business will lose greater control if they try to prevent users from using their mobile device of choice.

"People will find a way around it. You can't stop somebody forwarding their email from their private email address and downloading it off their device of choice. What you've effectively done is you've lost control, because you haven't adopted the way people are trying to consume technology," he said.

Findings from an Accenture report, The Cyber Security Leap: From Laggard to Leader, revealed that, for organisations which provided users with the services they wanted, their security posture improved over two years. Conversely, for organisations who kept a tight control, their security posture regressed.

Meanwhile, the ESET's Australia and New Zealand cyber-savviness 2016 report showed that users take greater care when it comes to security on work-provided devices than on their own personal devices. For instance, only 13 percent of ANZ users made purchases online using credit card details stored on mobile apps and accept incoming requests on social media on work-owned devices, versus the 48 percent that would do the same if they were using their personal device.

Assume the worst

Ultimately, according to Accenture's Abi-Ghanem, enterprises should not be looking at how to secure devices that are being used, so much as securing data that is being read, stored, and shared -- and do so in a way that assumes the worst, and that the device will be lost.

"I think BYOD is a reality. A number of organisations allow users to bring the device they like because some like their own nice-looking laptop, the operating system, or phone -- but at the end of the day it doesn't matter," he said.

"At the end of the day what's important is you have placed the security to secure the data well. Even if it's your own device or it's the same as providing someone with one ...[you] need to build in security closer to the data itself, and not rely on the end users or the end device."

CrowdStrike's Sentonas said that while businesses are likely to lose visibility of what's happening with their data when they don't own the device, there are ways around it, pointing to enterprise versions of consumer applications such Dropbox Business.

"You can instrument your network in a way that makes it easy for people do their jobs, and they will consume your service if you provide them that," he said.

Sentonas suggested another way that businesses can go about managing mobile security: via the cloud.

"The traditional security model of buying best-of-breed firewall and IPS, that's gone; that traditional perimeter doesn't exist anymore. If you think about the technology ... more and more you're connected to the cloud, and that's encrypted," he said.

"This is why you need to think about connecting your user to the device and deliver your endpoint service through the cloud to provide management. As you start to think more about the Internet of Things, it becomes more critically important."

Meanwhile, Tim Youm, IBM ANZ MaaS360 sales leader, said that mobile security is matter of finding a balancing act between user experience, privacy, and security.

"More mature organisations are adopting a balancing act between security, privacy, and user experience, whereby mobility services are tailored based on roles with different device ownership levels."

"For example, corporate-owned devices might have a supervised or lockdown mode, shared devices might have a login-logout function for shift workers, and BYOD might have a more balanced view of protecting privacy and consumer device experience," said Youm.