Blog

Mobile Device Management and Security

Steve Ripper from PCG talks with John Maher on this episode of Tech Tuesday. Steve explains the importance for mobile device security, and he covers the different concerns businesses need to consider depending on whether they provide their employees with cell phones or have employees bring their own devices.

John Maher: Welcome to Tech Tuesday brought to you by PCG, a managed IT services company in Portsmouth, New Hampshire. I’m John Maher, and with me today from PCG is Steve Ripper. Welcome Steve.

Steve Ripper: Hey, thanks John.

Businesses Need to Think About Data on Employee Phones

John: Sure. So Steve, today, we’re talking about mobile device management and security. Why do companies need to worry about their apps and data that might be on employee’s phones?

Steve: So this is an important topic that a lot of times companies don’t think about, how much data is literally walking around in people’s pockets. They’ll turn to us and they’ll say, so Steve, thanks for putting us into Office 365. We’ve got all this email, we’ve got this thumb drive and everything. Everybody should have their email on their phone so that I can email them and they can answer it.

They’re all working from home. Maybe they go on vacation and they need to answer a quick email. I want you to put it all on their phone. So we’ll put it on their phone. But now corporate email is literally traveling around the state, the country, the world, right? So it gets worse.

Email’s not too, too bad, but it’s an important and easy first illustration, but it gets worse when well, now they’re in your CRM. So maybe you’re in Salesforce. Salesforce has a phone app. Okay. So if everybody in your company who is in sales puts the Salesforce app on their phone, your company data with your corporate contacts, basically your client list is walking around with that person. So how do you manage that? What do you do about it? I always bring that up. Literally how much I asked that question if I’m doing a seminar John, how much company data is literally spread around the room in people’s pockets?

Securing Business Information on Employee Phones

John: Right. And that really makes people think. They start thinking about their phones and going, oh yeah, I’ve got that app, I’ve got that information. And yeah, probably makes people think a little bit.

Steve: Yeah. And so what’s the next question, right? What are we doing to secure that? Right. So any company president or IT person who’s inside a company who’s working with us John, has a good idea of what they’re doing about the PCs, right? They have a good idea of the laptops and servers.

There’s a door locking the servers. We have Microsoft active directory and usernames, passwords for all the PCs and the laptops. But if you ask them how each person in your company is dealing with security on their iPhones, especially if they’re not, and most small companies aren’t providing cell phones to their users, they have no idea. They have no idea if Suzy has any kind of security turned on for her iPhone. They have no idea. And if they do, they don’t know if it’s the same thing that Jim is doing over there.

I’m making some names up. No idea. Right? And that one makes company presidents, IT directors, CFOs, like whoever, that one makes their eyebrows go up. All right. So we just went and added our line of business applications, gave them blanket access to everyone to just download the app and connect to it. And no idea how anybody’s doing their security.

iPhones are a little bit better, right? iPhones have really, in the last couple of years, pushed the idea of listen out of the box, set up your security, whether it’s facial recognition, whether it’s thumbprint, whether it’s key codes and pattern access, all of that. The iPhone really pushes that as a default standard. Androids, all those options exist. They’re not as good at saying, just really pushing first-time users to use it, but they’re getting there. They’re getting there.

Security Risks of Bring Your Own Device (BYOD)

John: And what is BYOD and how can that be a security risk as well?

Steve: So BYOD is our term. It’s an industry term for bring your own device. And I mentioned that just a few minutes ago. A lot of companies, especially in the small company space with 30 employees or so, they’re just not going inside. They’re not calling up AT&T and doing a 30 phone plan and handing out cell phones to everybody. Okay.

Instead what they’re doing is they’re relying on the fact that their 30 employees all have their own cell phones because who doesn’t? Right. Everybody does. So we call that, bring your own device. We’re letting them do X, Y, and Z, but we don’t own the phone that they’re doing it on. They do. Right. So that brings up a lot of the problems. If a company calls me up and says, Steve, I need to make sure that the apps on everybody’s phone are like, that we’re protecting our data.

My first question is, who owns the phones? If they tell me we have a company corporate plan and we hand out cell phones and we provision phones for every user, then that’s easier. I’m not saying it’s easy to do any of this stuff, but it’s much easier because they control it. It’s all policies. Right. And when I say policies, I don’t just mean IT policies. I mean, literally HR employee policies. Hi, we’ve given you this phone. These are the rules you have to follow. Okay.

Policies like that are much harder to enact when it’s their own iPhone. Who are you guys to tell me what to do on my phone? But you need to. That’s not to say that it can’t be done, but those are the challenges. You’re now getting around this kind of, this line of demarcation between what the company can say the employee can do and the employee saying, well, wait a minute. This is my device. For years, we would always very heavily discourage any company from allowing a user to use their own laptop to handle work applications and data. That’s terrible. Right. Definitely get them their own laptop. Much harder to do John, in the phone space.

Employee Phones and Data Security

John: Yeah, absolutely. There was a time when companies would get cell phones for their employees and employees might have to carry their own personal cell phone and then also one from their work or something like that. But that’s just not really the case anymore. Right?

Steve:   We do see it, don’t get me wrong, in the small business space. You do see it much more in the big business space. I would tell you that like PCG provides phones to all its employees. They have to. Our cell phones are very integral into what we do, both for multi-factor authentication standards to be able to get into everything, but we’re also need to be available. We’re talking to customers.

So I’m only using that as an example of we’re an industry where it’s really important that PCG manage and control the cell phones, so they do provide. But other industries that we go into are like, listen, it’s changing, John don’t get me wrong, but they’ll be like, listen, we’re in manufacturing. We’ve never needed to worry about what’s going on. But things are becoming so digital.

The cloud is becoming such a big deal that it is now becoming a thing that owners, and CEOs, and things like that have to deal with where they just didn’t five years ago. Now it’s like, I actually had a company president go to me, listen, I don’t want anyone to have access on their phone. Well, what really worries me, Steve, is that they can. In other words, I need you to work with my vendor for my application, whether it’s CRM, whether it’s in EMR for medical, whether its financial software, to make sure that nobody, none of my employees can download this, put it on their phone and log in with their account.

So we have to go in and turn that off. Right. Because they’re the other side of it. They are aware of the dangers of having this data walk around with them, but what do they do with the fact that people just are savvy, they have phones, right? They can hit the store. But we use Salesforce. Hey, look, Salesforce has an app. Download the app. I know what my username and password is. I use it at work. Type it in and away they go. So you can do both sides of it. How do we secure things if we want them to have access on their phone and device? How do we prevent it if we want none of that to happen? So those are the things you have to deal with and take on the challenge of.

MS Solutions for Mobile Data Security

John: Right. And what is Microsoft’s solution to having data in everyone’s pockets, on their mobile devices?

Steve: Yeah. So what Microsoft does is, and unsurprisingly, John basically built into the Office 365 slash Azure space. Like if Office 365 is their cloud offering for email, file storage, collaboration, teams, video, all that other fun stuff, then a lot of this, what do we do about the devices, is built into that. It used to be called Intune; it’s now called MDM or mobile device management. And the idea is that you’re basically provisioning and configuring a space within your Office 365 portal. And if you don’t have one, we could build one for you just for that purpose. But most companies are in it, most corporate companies are in it already. But you’re building this policy type space where you’re then saying that the apps that the company is going to use run inside of that. Okay.

So conceptually, what I would describe to you is that we’re leaving the person’s phone alone, but we’re creating a bubble. In other words, if the problem is that they can download these apps and sign into them, we’re going to give them one app that they can sign into that then gives them access to all the others.

Once we provision this and we configure it on their phone, we’re either going to help them do it, or we’ll just tell them where to go. But they’re going to go into the store and they’re going to download the MDM app for this onto their phone. And they’re going to sign into it using the secure credentials that we give them. When they’re inside that they can then open their email to read their email. Okay. They can maybe open, I use Salesforce as an example, but whatever their application is that’s on the cloud, the internet is going to be provisioned inside of that.

So we’ve gained several efficiencies and protections there. Now the data is self-contained in that one thing. We can tell it to immediately delete. So if they come in and they go, hi, Steve, I left my phone on the bus on my way to work, or it got stolen. I was at the bar, left it on the counter. It’s gone. Okay. We’re going to go in and we’re going to say, delete. We’re not deleting their phone, or we’re not really mangling if you want to think of it that way, their phone and their personal data, if it’s a BYOD. But what we are doing is that application that has all of the corporate data, we are pulling that off the phone. We’re removing it. Okay. If the phone is offline, we can’t do anything with that. But what we are is we’re severing the connection to the data.

So even if the bad guy has the phone and he’s purposely keeping it off the cell network, the app A, won’t connect and B, we’ve terminated that access. So we’re putting control back into the company’s hands by having this app that is now controlling where the data sits. The opposite if you think about it is just a phone, right, with the application, the Outlook app, your email app, maybe the one drive app, maybe some Excel, maybe something else, right. It just kind of sprinkle on it. We’re now centralizing it into one program and then gaining that access for them.

Contact PCG for Help Managing Your Team’s Mobile Devices

John: All right. Well, that’s really great information, Steve. Thanks again for speaking with me today.

Steve: Yeah. Thanks for having me, John. It’s been fun.

John: And for more information, you can visit the PCG website at pcgit.com or call (603) 431-4121.