BYOD – Convenience Vs Security?

The explosion in the use of personally owned devices in the corporate workplace is on the rise and accommodating Bring Your Own Device (BYOD) is becoming a fact of life for many organisations. Whilst there may be benefits to adopting this approach, businesses must try and minimise the risks if they allow employees to use personally owned smartphones or tablets.

One of the key risks in adopting this strategy is that your business may be more vulnerable to having confidential information being compromised if there is a lack of control, ownership and management of devices. A basic tenet of information security is the ability to control data and this could be compromised if companies implement BYOD. Tablets and smartphones are very susceptible to being lost or stolen and any data contained on them is vulnerable because of the lack of security measures – this becomes a higher risk if the organisation does not have the ability to encrypt or remotely wipe data. Traditionally, corporate-owned devices have usually been configured to a standardised format, allowing for greater control; but by removing this systematic approach to mobile devices, there is a good chance data could be compromised due to poor security and data management.

Security best practice for the mobile BYOD environment presents fresh challenges for IT professionals, and there are benefits to taking a risk-based approach. Having a clear understanding of how employees are using their personal devices can assist in mitigating the risk, but what organisations must remember is that with the addition of each new device to the network, the risk grows. By not taking this approach, how do you know if users are storing login details for corporate applications and databases or if malicious code can be released into the corporate network because of poor patching polices?

Organisations should start with the basics and consider the following questions:

  • Do you need to impose restrictions on usage through the enforcement of strong policies?
  • How will the devices be used? In this instance it is crucial to consider this from a business and personal perspective.
  • How are you going to enforce your policies? Organisations must ensure these are tailored to specific roles, devices and locations – there is a not a ‘one-size-fits-all’ solution.

They need to decide how they will monitor devices and activity to ensure policies are being adhered to. As an example, they should look at how Apps are controlled – what can and cannot be installed – and ensure they have the ability to block Apps that may introduce unwanted risk. Do they really want a rogue App that creates a gateway for unhindered access to their corporate information or intellectual property?

Agreements with users

BYOD also raises more complex issues and these are primarily around liability and trust: for those users who wish to use their own devices, organisations must formulate opt-in agreements. The business must decide what level of control it requires over devices to provide them with assurance that the smartphones or tablets are being used correctly and appropriately.

Employees who wish to use their own devices should be required to sign an agreement allowing the organisation the right to access the device and review it as necessary. This must include the ability to wipe data from the device if it is lost or stolen or in the event the worker terminates their employment.

Security measures

Securing mobile devices is bringing fresh challenges to those who wish to secure their corporate data, and as much as the user may not like it, rules have to be imposed to reduce data leakage or loss, and these must be auditable.

Rather than place extra burdens on IT staff, organisations can also consider using an outsourced Mobile Device Management service. There are numerous organisations offering this and the options are many: for instance cloud or hosted, and full or partial service.

When a business wishes to introduce a BYOD culture, there are many things to consider from a risk perspective. However, device security must include the following in order to ensure unauthorised access to data is minimised:

  • Turn on auto-locking;
  • Enable encryption;
  • Enforce strong passwords;
  • Turn on password protection;
  • Enable inactivity time out;
  • Lock out after a specified amount of failed logons;
  • Remote wipe if the device is compromised.

 A new culture

Although often overlooked, one of the best ways to prevent security incidents is to create a ‘security culture’ where all employees are aware of risks and consequences of using their own devices unsafely for work purposes and not following company policies.

As human error is still the number one cause of most security incidents, often due to employees circumventing strict measures in order to speed up work operations, it is only through the appropriate awareness training that risk can be minimised.

It is by taking these steps that BYOD can become a normal practice within an organisation without any added security risks, so that everyone can enjoy all the benefits the use of personal devices for work can bring, as well as the endless possibilities brought upon by mobile and home working.

Colin Greenlees, Senior Security Consultant


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: