This becomes particularly problematic because the CSO may not have direct control (if they have any level of control at all) for the device and operating system updates. These are generally controlled by the carrier, device manufacturer, or the employee.
Criminal threats to technology are evolving at a rapid pace. This places a premium on corporate IT security’s ability to fully understand the potential vulnerabilities which can be created each time there is an upgrade to a mobile device or its operating system. To maintain a high level of proficiency in these areas requires a careful and consistent investment by the CSO.
Damaged devices. Given their very nature and use, mobile devices are routinely damaged. Employees are much more likely to lose their mobile device than have it stolen. Do you want your employees going to the carrier’s store (or some store at the mall) to get their device repaired? Repair work on a mobile device will reveal not only the specific applications the company has installed for security protection, but the specific configurations used as well. In addition, a repair technician may be able to use the device to access company systems/data and access any private customer or proprietary company information stored on the device.
Lost and stolen devices. When a mobile device is lost or stolen CSO’s must have a process in place for employees to notify the company so action may be taken immediately to disable and/or remotely wipe the device. In addition, if the employee relies on their mobile device to perform their job, it may be necessary for the employee to obtain, and configure to company standards, a new mobile device as quickly as possible. The normal time period for replacements of 2 – 10 days may not be sufficient for the employee to fulfill their job requirements, or may otherwise impair application/system/customer support.
What makes a good BYOD policy? What advice would you give to CSOs that have to make one?
The foundation for effectively controlling mobile devices, like almost all other IT services, is the development and implementation of a thorough and easily understandable set of policies and guidelines. Training is also a mandatory component as employees must understand the risks associated with the privilege and convenience of being allowed to use mobile devices.