Originally posted on TechTarget, “IT, not BYOD users, must control mobile device encryption” by Craig Mathias

As freeing as BYOD can be for employees, it can mean more headaches for IT. Organizations need a BYOD policy and EMM/UEM strategy to help IT mitigate BYOD security risks. IT administrators are the gatekeepers of mobile security, but BYOD users threaten to usurp that power.

The BYOD movement rose to prominence based on the notion that employees would likely be more productive with devices they actually want to own and use, along with a demonstrable operating expense cost savings and enhanced convenience — because who wants to carry two devices, different or otherwise?

But the movement comes with its own set of issues. IT must counter BYOD security risks with measures such as encryption of sensitive information, authentication to make sure only authorized individuals can access that information and management of these functions. Thankfully, these security measures aren’t that hard to implement today, with the availability of cost-effective enterprise mobility management (EMM) tools. EMM includes the configuration-centric mobile device management, mobile content management (MCM) and mobile application management (MAM).From a security perspective, MCM gets right to the heart of the matter. The most common and effective technique is the implementation of secure containers that enable encryption and control of sensitive information. MAM prevents unauthorized applications from accessing or distributing this data.

There is no such thing as absolute security, but the combination of MCM and MAM can be very effective, removing end users from the policy decision making and implementation that’s best left to IT.

But making EMM-based mobile security work effectively and efficiently has its challenges. Here are some best practices IT should add to its mobile security checklist when supporting BYOD users.

Have a cross-platform EMM strategy

There’s no need to support every, or even a majority, of the possible mobile device and OS pairs employees might use in the workplace. But whatever IT’s chosen EMM/UEM tool is, it must fully support any and all supported platforms. Admins should avoid multiple EMM products and never make end users responsible for encryption, because employees do not own or control organizational data. IT must carefully test each OS release for compliance with local policies.

Make sure required policies, agreements and regular reinforcement are in place

Every organization should have a security policy defining what information is sensitive, who can access data and under what circumstances, and what to do in the event of a breach. A BYOD policy detailing supported platforms, cost reimbursement mechanisms and end-user responsibilities should be a requirement, along with an agreement to that effect. An acceptable use policy is also highly desirable, but admins should check with legal counsel for the specifics. Loose lips do indeed sink ships — security holes can lead to data leaks or breaches — so IT should give employees polite but firm reminders on the importance of security on a regular basis.

Stay up to date on new products, services and threats

No one should assume EMM is a mature market; there’s still a great deal of evolution in products, technologies and services, including wholesale obsolescence and forced upgrades from time to time. IT should plan to check in with EMM vendors regularly. Smaller firms may be able to rely on vendors to identify new threats and other security issues, but larger firms should have ongoing access to specialized knowledge to avoid embarrassing — not to mention harmful — security failures. Having the best EMM tools at their fingertips will help admins fully support BYOD.