Pavel Ignatov - Fotolia


How to balance mobile device privacy vs. security

If employers are transparent with workers and respect their mobile device privacy concerns, workers will be more accepting of their security measures.

Steps taken in the name of security often conflict with personal privacy. In the enterprise mobility era, IT departments can strike a more workable balance between the two.

The ability to find a lost mobile device typically relies on location-tracking technology, which some workers view as an invasion of privacy. Similarly, when IT uses antimalware software to disable certain mobile apps, users may view that as an intrusion on their personal devices. New technologies such as wearables are now exacerbating these mobile device privacy concerns.

Assess the privacy landscape

The first step toward balancing mobile device privacy vs. security is to examine who in the company has access to users' personal data -- and why. This assessment provides the foundation for determining whether that data should in fact be collected, what limitations should apply regarding access to that data, and any protections that IT must apply to that data.

For example, depending upon industry and location, companies may be subject to legal and regulatory requirements for protecting personally identifiable information (PII). If these companies collect, use or store PII on mobile devices used for business, they must follow their legal or regulatory obligations to protect that information.

Bake mobile device privacy into policies

Gartner Research Director Heidi Wachs recommends applying common privacy law principles to mobility policies. These principles include providing notice about the collection of personal data, seeking user consent and controlling access to that data.

Gartner recommends employers notify corporate-owned device users and seek consent from BYOD users that they will collect data and that users should have little or no expectation of mobile device privacy. IT can push these notifications to users during the process of enrolling devices in enterprise mobility management (EMM) software.

The notifications should include a clear description of the security controls IT will place on devices and the implications those controls may have on personal privacy. In some cases, terms may be all-or-nothing, and in others, they may provide flexibility. An organization might mandate antimalware software on corporate-owned devices, but location tracking may be optional for BYOD users.

Focus on securing business assets

All too often, administrators make use of all available tools without considering the mobile device privacy ramifications. Instead, adopt this philosophy: If business needs don't require gathering data from employees' devices, then don't.

Employers should avoid monitoring GPS data unless truly necessary.

For example, every EMM product can collect location data generated by a mobile device's GPS capabilities, but Gartner recommends that organizations disable location monitoring by default, unless it's essential for regulatory or business purposes. Of course, employees may still enable location tracking for their own convenience; many location-aware apps simply don't work well without that data. But employers should avoid monitoring GPS data unless truly necessary.

This recommendation raises the question of how to protect enterprise assets when devices are lost or stolen. Containerization and other mobile application management (MAM) technologies can keep enterprise data safe and separate from personal data. IT can use MAM tools to install, configure and maintain apps that provide their own authentication and encryption, then apply other controls to those managed containers -- and not to personal apps or data.

If business data is stored only in managed containers, it becomes feasible to perform a selective wipe on a lost or stolen device. Workers needn't fear their personal data will be lost, and employers can reasonably reserve the right to remove managed containers at any time, for any reason. In addition, IT can use capabilities such as Apple iOS Managed Open In to prevent the comingling of containerized business and personal data. Containers don't just keep business data safe; they help employers avoid accessing or storing personal data.

Finally, consider geofencing, which applies policies to devices only within defined areas. Geofencing can allow IT to impose more heavy-handed policies within the workplace -- for example, disabling cameras within a healthcare facility to preserve patient privacy. Geofencing inherently depends upon location monitoring, however, and so it may require certain tradeoffs.

Use transparency to promote privacy

Balancing privacy vs. security often requires greater transparency. Workers tend to fear technologies that are unfamiliar and are less likely to fear technologies with perceived benefits. Education therefore plays a critical role in assuaging privacy concerns.

To this end, policies, notifications and consent agreements should not be full of dense legal jargon. Consider them an opportunity to educate workers about the risks IT is trying to address, so that workers understand why they must consent to certain settings and apps. Organizations should also explain what data will and will not be monitored or collected, especially when PII is involved.

Ultimately, the more a company explicitly recognizes and protects mobile device privacy, the more comfortable workers will be with consenting to reasonable security controls.

Next Steps

Windows 10 sparks data privacy concerns

Is Big Brother watching BYOD users?

This is why IT should care about mobile users' privacy

Dig Deeper on Enterprise mobile security