Ask Aspi

Aspi Havewala is Director of Collaboration and Mobility at Verizon. He’s responsible for messaging, collaboration and mobility services. We asked him about the best ways to secure mobile devices without negatively impacting the employee experience.

Q: How would you recommend companies tackle improving their mobile device security, going from point solutions to an integrated and risk-based approach?

A: You need to do some groundwork. This involves assessing the risks that are out there, the kind of company data you want to expose on the mobiles, what your stakeholders need and the preparedness of your employees. And once that’s done, you can start to build a multilayered set of defenses. This means that if one layer fails, another layer kicks in and your devices, and your data and systems, are not left unprotected.

Q: A lot of businesses are moving their applications to the cloud; does that make the job of people like you easier or harder?

A: It comes with advantages and disadvantages. The disadvantage is, of course, it’s out on the internet, anybody can access it. You can no longer protect that application in the traditional way you used to, which is behind the perimeter of a network, inside a company’s firewall, isolating it on your own premises. But with all your data in a single place, you can direct all your energies toward securing that location, making sure that all of the controls are implemented around that one set of properties or that one application or that one cloud repository.

Q: There’s been a lot of talk lately about the “zero-trust” approach to mobile security, but what does it actually mean?

A: Today’s employees often depend on and work with contractors and visitors in the office. They may also be required to perform work tasks remotely. This means that trusting everyone inside a network can leave your organization vulnerable. Zero trust is based on the idea that you should implicitly trust no one—and instead look at a person’s identity, access rights and device before granting them access to company data.

Q: Do you think zero trust is the right approach for organizations seeking to improve their mobile security?

A: Most organizations have remote workers and assets stored in the cloud, so network perimeters are blurred. Adopting a zero-trust approach is an effective way of maintaining security when you have a distributed workforce—which is pretty much the norm now.

Zero trust can also help deliver better employee experiences. It’s adaptive to each situation, so staff trying to do a low-risk task won’t be impeded by superfluous security checks. That’s because it doesn’t just look at who is trying to gain access, but also at what they’re trying to do. For example, an employee trying to sign into their email from home might encounter a standard level of authentication, say password and 2FA. By comparison, a user trying to set up a large bank transfer, accessing from a risky location or seeking to access privileged information could face more rigorous validation—this could include asking for biometric information—or be blocked.
 

Q: Do you have any other advice for companies that want to improve their security without frustrating employees?

A: First and foremost, prioritize the user experience. Make it part of every risk discussion you have, because a bad user experience is a big risk in and of itself. You should give your employees a range of options to do their work securely, and stay connected with your users. The more you communicate with them about the policy and controls that are in place, the more your users will appreciate security.

Next steps

Whether you’re just starting a mobile security program or looking for ways to improve one, find the tools you need:

• Mobile security assessment tool - See how your mobile security stacks up against 800+ businesses and get personalized recommendations for improvement
• Acceptable use policy (AUP) Guide - An AUP is a foundational policy for mobile security. Our guide offers best practices for making your AUP stronger