Will security concerns scupper your BYOD policy?
An unwanted gift? Or something for life?
Analysis Almost everyone involved in IT fears BYOD to some extent. That’s largely because they are terrified of careless colleagues costing the business a shed load of money.
But small to medium sized businesses who lack the budget and resources to do security well fear BYOD more than most. Just this week, Hugh Boyes from the Institution of Engineering and Technology (IET), on the government launch of cyber assistance programme Do More Online, said: “The cyber security of most small business is woefully inadequate as they do not have the time, experience or resources to develop the knowledge and skills to protect their presence online."
A survey commissioned by security firm CheckPoint and carried out by Dimensional Research showed that out of 700 IT professionals worldwide, 87 per cent said the biggest security threat with mobile devices was careless employees. A startling two-fifths admitted that mobile security incidents had cost their organisations more than $250,000.
There’s no doubt many are welcoming BYOD, though. A survey from 451 Research indicated 68 per cent of enterprises have changed their security policies and technical controls just so they can do BYOD. But there are limits to how far IT folk will go. Whilst half have moved onto allowing access beyond email, including file share and enterprise application access, almost a fifth will only allow that slice of business data onto employee-owned devices. A fifth of firms are still ruling BYOD out completely and eight per cent haven’t even bothered with a policy.
Javvad Malik, security analyst at 451 Research, says antipathy around BYOD is typically born out of loss of control around data. “Will the organisation still have control or visibility of the data once it’s on a personal device? What types of data can be accessed or not from a personal device – what happens when it gets lost or that employee leaves? There’s also the challenge of authentication and granting access. You don’t know and can’t really enforce control over who is using that device, which brings in that other dimension of complexity.”
In many cases, though, businesses and their IT teams are keen to exploit the cost savings it can bring the organisation, particularly where staff supply their own devices rather than relying on a Choose Your Own Device scheme, just as long as the workers can be trusted to keep data on their device secure. This can, perversely, bring about a fear that when writing a BYOD policy those drafting the document may end up discouraging staff from using their own devices as workers might not take kindly to the security rules thrust upon them, notes security consultant Brian Honan.
“The other fear is how to manage seizure of data and forensic evidence from a personal device should an investigation or security breach require such access. In particular if a company has staff in different jurisdictions the multitude of privacy laws and also criminal evidence laws can place a large onus on an organisation to get their policies right,” Honan adds.
Most IT departments rush to mobile device management when their fear of BYOD peaks - the 451 Research study found 78 per cent saw MDM as their primary response to the problems concomitant with opening up the business network to workers’ machines. Amongst other “must haves” on any BYOD shopping list are enforcement of encryption of the device, and password protection.
Focusing on the data rather than the device is often on the checklist of any solid rulebook too. “Virtualisation has helped in this regard … it may not be totally mature - but it’s definitely grown up technology. The implementation is the tough part,” adds Malik.
It never ends...
Technology, just like the humans using it, can and does fail, however. Any truly robust BYOD strategy is going to need extensive training for employees, notes Honan.
“It is equally important the extensive security awareness training is given to staff so that they are aware of their obligations under the policy and can assist in ensuring the security of same," he says. "Technology will fail and can be bypassed [so] properly trained staff and regular proactive monitoring of these devices are additional layers that should be implemented to provide protection in the event the technology fails.”
Workers should be made fully aware of the consequences to their personal data should the company decide to carry out a forensic examination of the device or perform a remote wipe, Honan adds. Guidelines to avoid shoulder surfing and eavesdropping should be handed to employees, whilst making it clear what the company stores from users’ mobiles, tablets and laptops is a must. And having a codified set of discipline procedures when workers fail to keep in line. This route is just as open to SMEs as it is to their bigger brethren.
“We love to use our devices in a manner that best suits us individually and so there is very strong and real resistance on the part of users to implement technology or approaches that inhibit their use of the device. That is the real challenge in this space,” says Steve Durbin, managing director of the Information Security Forum.
Getting workers to actually sign on the dotted line is an important task in itself. In a survey of its members this year, The Information Security Forum found 85 per cent of respondents specifically mentioned the importance of a robust Acceptable Use Policy (AUP) to which each device user must agree, usually via a signature. That AUP then needs to be kept up to date, with frequent revisions.
“The fear of course is that the AUP doesn’t cover all of the issues that will arise or that it fails to remain current. One of the biggest challenges in this space is around the management of data, intellectual property and of course privacy given the latest EU regulations around the responsibilities of an organisation for protection of personal information and data in general. Keeping abreast of developments globally and ensuring that these are incorporated into your AUP are a nightmare,” Durbin adds.
Indeed, BYOD is for life, not just for Christmas. ®
Sponsored: Becoming a Pragmatic Security Leader