As a security leader, your priority is to protect the organization from incoming threats. You must also prevent assets and data from being leaked as a result of data breaches or accidental exposure. According to the US Chamber of Commerce, 41% of all business data breaches occur due to lost or stolen devices.
While it may seem that the best plan of action is to lock down data, devices, and systems, it’s also necessary to ensure that employee privacy is respected. Not only is it just plain decent to do that, but employees are actually more likely to break rules when they feel they’re being monitored, according to Harvard Business Review.
However, having visibility into an organization’s assets is also important. The increased use of cloud services by businesses, as well as a growing business digital footprint, make it significantly more challenging for security leaders to protect their organizations without using invasive technologies. The widespread adoption of mobile devices makes matters even more challenging.
Both employer-owned devices and Bring Your Own Device (BYOD) policies lead to shadow IT issues, making it difficult to ensure data security and protection across these devices.
Unsecured BYOD devices can lead to catastrophic data breaches, as when a South Korean cryptocurrency exchange suffered a data breach of 30,000 customers after an employee’s personal computer was hacked.
The situation is worse with mobile devices. Employees might use personal smartphones to access company email, download sensitive documents to personal tablets, or use cloud storage apps on their devices that give them access to sensitive business information.
While security leaders should address these critical vulnerabilities, they must also consider user privacy. Employees have legitimate expectations of confidentiality, particularly when using personal devices.
Here are our recommendations for addressing this complex challenge.
Mobile Device Management (MDM) and similar mobile protection solutions are fundamentally monitoring solutions. They offer the employer a high degree of control over these devices. For example, the employer can remotely control them or even completely wipe them.
The employer also gains extensive visibility into the devices, including the ability to track their location and which apps are installed. In extreme cases, an MDM solution might even monitor communications.
This level of surveillance is fairly invasive, and employees are likely to resist implementing it on their devices, resulting in poor adoption. This can lead directly to a weakened security posture, with potential tangential negative impacts on the organization’s security reputation. Yet, if the employer tries to enforce it, employees are likely to look for workarounds or simply refuse to participate. With BYOD devices, the employer has no solid grounds to enforce compliance.
Even when organizations use only corporate devices, a large percentage of employees still bring their own. Ivanti discovered in a study that only 52% of organizations allow BYOD, yet as much as 84% are using BYOD. In other words, employees are bringing personal devices to work, even when it’s forbidden.
It’s simply a fact of our times. Completely prohibiting the use of personal devices is unenforceable and will impact both employee satisfaction and productivity. A better solution would be to offer solutions for those personal devices that users are willing to implement—which requires respecting their privacy.
Taking user privacy into account simply means using security solutions that aren’t invasive, such as Mobile MDR, which is a more modern alternative to MDM. When implemented properly, Mobile MDR not only maintains user confidentiality, it also offers far more protection than traditional MDM solutions.
Reactively responding to user action can feel invasive and often creates friction between security teams and employees. For example, when a user accidentally downloads malware, a typical response might involve the employer being immediately alerted and then taking aggressive actions like taking over control of the device remotely or, worse, wiping the device completely.
This represents an intrusive process that can be a big turnoff to employees, making it harder for organizations that are trying to balance security with employee trust. When employees fear invasive responses to mistakes, like having their phones wiped, they might start hiding security incidents from employers or avoid reporting anomalies, actions that further reduce security in the organization.
The situation has gotten bad enough that now half of the employees who use BYOD have become apprehensive about reporting security incidents for fear of repercussions, as reported by ThinkCyber based on a survey done at Infosecurity Europe 2024.
A more effective way to approach this is to manage access rather than to try to control user behavior.
Mobile devices shouldn’t have the capability to impact an organization in a devastating way, regardless of user actions. Organizations should have procedures in place that minimize access to sensitive assets and limit activity on channels that can be compromised. Access management might include role-based access to resources or 2FA when logging into sensitive channels.
By managing access and assets instead of people, security teams can implement a less invasive process that maintains both security and privacy. This way, employees understand what’s being managed and monitored—and it’s not their personal behavior. That leads to greater acceptance and cooperation because employees don’t feel like they’re attacked. These monitoring systems should be in place across multiple channels—intranet, file directories, third-party communications, and asset management channels.
The security architecture should also prevent access based on roles—providing permissions only on an as-needed basis, adhering to the Principle of Least Privilege. This means employees can only access the specific resources necessary for their job functions, limiting the potential impact of any single compromised device or account.
Effective mobile security should aim for proactivity rather than reactive measures. By being proactive and taking an approach closer to EDR for mobile devices, organizations can respect user privacy while maintaining strong security postures. In other words, security efforts don’t have to live so much on the device itself, reducing the need for invasive monitoring tools.
Fundamentally, employers don’t want to “big brother” their employees, but they still need effective protection measures.
By starting earlier in the kill chain, organizations can focus on detection and swifter response before threats fully materialize on endpoint devices. This approach respects user privacy while also being more effective overall in preventing security incidents. It minimizes damage to an organization and prevents full data exfiltration by identifying and neutralizing threats before they can complete their objectives. If a threat is only caught once it’s already active on a device, it’s likely too late, as sensitive data may have already been compromised or exfiltrated.
Organizations should consider implementing mobile EDR solutions and include them as part of their overall security resilience strategy. These solutions can monitor for suspicious network traffic, unusual authentication patterns, and potentially malicious application behaviors without necessarily monitoring all user activities.
For more details on implementing privacy-preserving mobile security solutions, reach out to us.
By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.
