It is now several years since the scope of Mobile Device Management (MDM) expanded to become EMM and Bring Your Own Computer (BYOC) morphed into Bring Your Own Device (BYOD). As mobile management technologies enable even wider and better risk management, the consumerisation of IT is pulling the organisational risk profile in the opposite direction. So should organisations approach mobile technology choices with risk and controls as the priority, or should the personal preference of the employees drive the overall approach to risk when buying mobile phones?

There is no right or wrong answer. Clearly mobile device choice can be emotive and personal and it depends on what is most important on a case by case basis. However, blindly pandering to the 'wants' of employees removes very valuable protections that would traditionally be seen as 'needs' in any IT security context outside of mobile.

Businesses need to protect themselves from threats both internal and external, especially on mobiles. A relaxed attitude towards mobile security and device decisions can make it easier for external parties to use mobiles as a bridgehead to access sensitive data. Regardless of capabilities and credentials, an EMM is only as good as the controls that are actually implemented. Too often, organisations use the basic functionality of EMM (e.g. device registration and device wipe) without properly applying the appropriate IT Security policies. Furthermore, not all mobile Operating Systems (OS) are equally secure. Given the risks posed by malware, device loss and other ways of compromising mobiles, perhaps the device the employees prefer is not the one that would ensure the desired level of security.

On internal threats, there is already an industry growing around mobile forensics and its use in fraud and investigations to verify what an employee was doing at a particular time and place. However, how often do we read that those under investigation simply 'lost' their mobiles? Just as other IT systems create detailed audit trails to test and verify an evidence timeline, ideally EMM solutions should be able to do the same and a few of them do this very well.

Not all EMM solutions and mobile OS will be equally suitable to meet business needs. The strength of the controls that each provides should be evaluated in the context of how an organisation sees risk management and IT Risk. If organisations do not know what controls each EMM offers and how these should be implemented for promises of protection to reflect reality, they will be flying blind until something goes wrong.

Are the benefits of BYOD and employee choice in mobile really worth the risks? The complexity of managing and securing multiple mobile devices, OS and updates is daunting. If something goes wrong (e.g. bank accounts hacked, fraud, malware, etc.) the impact could be devastating.

Perhaps using EMM to keep controls simple, secure and auditable is more important than the popularity senior executives will gain by making mobile device choices more democratic.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.