Mobile devices can provide corporate IT departments with a hornet’s nest of security (and support) issues – no matter whether it’s corporate devices or the use of employee personal devices in the workplace. It’s a two-part security issue, with a certain degree of overlap. To ignore it, and to focus purely on corporate mobile devices, is definitely not in the best interest of any company.
Some IT departments still think that they can “ban” the use of employee personal devices for work purposes, commonly called “bring your own device” (BYOD). But, with the exception of some extremely controlled work environments such as trading floors, it’s hard if not impossible to stop employees using their personal devices for work purposes – either at work or elsewhere. And it’s here to stay.
It’s also worth noting that BYOD is already well over a decade old. Employees have been using email or USB sticks to transfer data to their personal PCs, or forward work emails to personal email accounts since the 1990s – all in order to get the productivity enablement they need.
BYOD Is about Employee Productivity, Not Technology
The first thing for CIOs and IT departments to recognize about BYOD is that it’s not the result of maverick end users, but rather it’s the result of the corporate IT department’s inability to meet stakeholder and end-user expectations of IT across usability, cost, service, and agility. Sadly, IT supply hasn’t always met end-user demand, and as such BYOD, or BYO-anything, is the end-user response in upping their productivity.
So now, instead of fighting BYOD, corporate IT departments should be looking to ensure that they are ready for, and accommodating to, BYOD – while both protecting business assets and operations, and optimizing employee productivity.
Common Mobile Security Issues that Impact BYOD
This is where there’s the overlap between generic mobile security and BYOD security – with a number of basic mobile security risks needing to be addressed, starting with the device itself:
- Minimal access security. Not using a suitable password or PIN, through to not using superior access-based security options such as two-factor authentication.
- Unsecured ports. Without firewalls, mobile devices can be vulnerable to unwanted intrusion and the loss of sensitive corporate data.
- No security software. Neither pre-installed nor later added by the corporate IT organization or end users to protect the device, and its content, against threats.
- Software-based vulnerabilities. Out-of-date operating systems or mobile apps.
- Unencrypted data. Both on the device and for the transmission of sensitive data to and from the device.
- People-based risks. Negligent or uninformed acts ranging from losing the phone, through end users “modifying” their mobile devices, through acts such as “rooting,” to the use of unsecured public WiFi networks.
The security risks spread beyond the device once connected to corporate networks and the corporate IT infrastructure. Plus, they are applicable to PCs and tablets as much as they are mobile phones. And IT departments need to be addressing these risks through suitable IT and BYOD policies.
BYOD Needs Policies and Standards
In order to help address all of the above security issues, IT departments need to have the following in place for the effective management of BYOD and its risks:
- High-level BYOD policy
- Acceptable use policy (AUP)
- End-user agreement (EUA)
- Data classification and handling standards
- Basic user roles/classification
- Supported application list
- Resource matrix
Organizations don’t need to reinvent the wheel here. Instead, they should use Google, or similar, to find existing, shared examples of the above, which can be tailored to suit their own needs. For example, the White House’s BYOD guidance for government, or SANS’s AUP.
Considering and Addressing BYOD Security Concerns
When taking actions to address the issues listed above – which might include security risk assessments, use and user policies, device-based policies, mobile device management (MDM) tools, and continual end-user education – there are a number of other options to consider. These include but are not limited to:
- Making BYOD network access the exception rather than the rule. This is a “limitation program” that only allows specific end-user roles to use their personal devices on the corporate network. This could be, for example, 100% mobile users or senior executives. It doesn’t make BYOD safe but it can reduce the scope and attack surface created by BYOD. This, of course, doesn’t stop any given employee using their personal device for business work, or even their business device for personal use.
- Operating zero-trust networks. This is where the corporate IT department adopts the policy of not trusting any device or “open” corporate network, such as those connecting to the Internet. Additionally, access to sensitive systems and data, such as HR applications, can be restricted to trusted (i.e. not BYOD) devices via secure identification mechanisms and network controls.
- Using mobile management approaches beyond traditional MDM. While MDM tools are already popular, there’s also a management approach that separates out the device, applications, and data. For mobile devices, including laptops, the end user can self-install a virtual desktop to represent a trusted end-point on an untrusted device. There are very mature solutions on the market, even for smart phones, such that IT departments can support the “trusted end-point” but leave the end user to manage the rest of the device.
So, BYOD adds to the burden of corporate IT security. And don’t be fooled into thinking that this is a future issue – it has already been here for a very long time.