BYOD: The why and the how

Brad Keller and Robin Slade are Senior Vice Presidents at The Santa Fe Group.

In this interview they talk in detail about the challenges involved in evaluating, deploying and maintaining BYOD programs in large organizations.

Today’s organizations struggle with providing employees with access to the latest technologies. It’s common practice for employees to use their own devices at work for a number of reasons. Some believe BYOD is the answer to a lot of problems, others see it as a complex security issue that introduces a variety of difficulties. What are the pros and cons of BYOD in a large organization?
Today’s organizations struggle with providing employees with access to the latest technologies. It’s common practice for employees to use their own devices at work for a number of reasons. Some believe BYOD is the answer to a lot of problems, others see it as a complex security issue that introduces a variety of difficulties. What are the pros and cons of BYOD in a large organization?

In a nutshell the challenge is to find a way to deploy in the mobile environment the same types of IT security and privacy protection used for remote access by PCs and laptops. In addition, it is critical that CSO’s consider the data and systems they are going to allow employees to access via a mobile device. What level of data and/or systems exposure are you willing to risk by permitting mobile device access? Will you limit access to just corporate email? And if so, CSOs should consider that confidential or customer information may find its way onto a mobile device as either email content or as an attachment. While this should be addressed in employee training, applications exist that monitor email for this type of content and/or attachments.

No industry is immune to the risks associated with BYOD. For instance, a recent study by the Ponemon Institute found that, “eighty-one percent [of healthcare organizations] permit employees and medical staff to use their own mobile devices such as smartphones or tablets to connect to their organization’s networks or enterprise systems. However 54 percent of respondents say they are not confident that these personally owned mobile devices are secure.”

Specific challenges include:

Accessible systems and data. Determine the data and systems you’re going to allow to be accessed via a mobile device and perform an assessment of risk exposure (both inherent and residual), as well as risk of loss.

Employee access and usage. It is critical to ensure that only those employees whose job requires access to systems and data via a mobile device have such access.

Device type and operating system. You will need to determine what type of device(s) and operating system(s) will be allowed. There is a wide array of devices and mobile operating systems employees want to use. Mobile device support can be cumbersome and substantially increase expenses to support the wide variety of mobile devices.

Securing the device. Securing the device for company business includes the installation of additional applications for enhanced password security, anti-malware and anti-virus. Current built-in mobile device password capabilities do not meet most corporate standards. Therefore, you will need to identify, select and require applications for the mobile device to enhance password protection and security. In addition, most existing mobile device anti-malware and anti-virus capabilities offer inadequate protection against those threats. Therefore you need to identify, select and require enhanced anti-malware and anti-virus protection.

What complicates this effort is the pace at which device technology and operating systems change. When an update is released, it needs to be reviewed and evaluated to determine if your enhanced protections will still offer sufficient protection. If not, then new applications to address these concerns must be identified and deployed to the mobile device.

This becomes particularly problematic because the CSO may not have direct control (if they have any level of control at all) for the device and operating system updates. These are generally controlled by the carrier, device manufacturer, or the employee.

Criminal threats to technology are evolving at a rapid pace. This places a premium on corporate IT security’s ability to fully understand the potential vulnerabilities which can be created each time there is an upgrade to a mobile device or its operating system. To maintain a high level of proficiency in these areas requires a careful and consistent investment by the CSO.

Damaged devices. Given their very nature and use, mobile devices are routinely damaged. Employees are much more likely to lose their mobile device than have it stolen. Do you want your employees going to the carrier’s store (or some store at the mall) to get their device repaired? Repair work on a mobile device will reveal not only the specific applications the company has installed for security protection, but the specific configurations used as well. In addition, a repair technician may be able to use the device to access company systems/data and access any private customer or proprietary company information stored on the device.

Lost and stolen devices. When a mobile device is lost or stolen CSO’s must have a process in place for employees to notify the company so action may be taken immediately to disable and/or remotely wipe the device. In addition, if the employee relies on their mobile device to perform their job, it may be necessary for the employee to obtain, and configure to company standards, a new mobile device as quickly as possible. The normal time period for replacements of 2 – 10 days may not be sufficient for the employee to fulfill their job requirements, or may otherwise impair application/system/customer support.

What makes a good BYOD policy? What advice would you give to CSOs that have to make one?
The foundation for effectively controlling mobile devices, like almost all other IT services, is the development and implementation of a thorough and easily understandable set of policies and guidelines. Training is also a mandatory component as employees must understand the risks associated with the privilege and convenience of being allowed to use mobile devices.

Fortunately, mobile devices in the corporate environment have become sufficiently common that best practices are developing to assist a CSO in identifying the provisions that should be in their mobile device policy. These include:

  • Security awareness training/education
  • Acceptable use
  • Operating system security
  • User responsibilities
  • Access control
  • Data handling
  • Individual responsibility if co-mingling personal and organization data on the mobile device
  • Constituent accountability
  • Secure disposal of device at end of life
  • Vulnerability management
  • Responsibility for ensuring mobile device operating system is updated
  • Responsibility for ensuring mobile device applications are updated
  • Reporting information security incidents in the event of loss or theft
  • Prohibit sharing a mobile device with other users, including family and friends
  • Ownership of data on the device
  • Legal ownership and rights of the mobile device
  • Specific actions that organization may take in the event of a lost/stolen or compromised mobile device (e.g., remote disable, remote wipe, confiscation)
  • Data sanitization of (organization) data, settings and accounts on the mobile device at end of life
  • Creation and use of mobile hotspots on an organization’s premise (BYON – Bring Your Own Network)
  • Consequences for non-compliance with mobile device policy
  • User authentication on the device
  • Device encryption.

The content of each of these provisions will certainly vary based on a company’s risk tolerance, what they allow employees to do with mobile devices and, to a large extent, the regulatory environment in which they operate.

Nonetheless, CSOs should consider the development of a thorough and robust mobile device policy at the very core of their ability to manage the risks associated with these devices. Of equal importance is implementing the business practices and procedures which are necessary to support these policies.

What BYOD-related issues can we expect to grab the spotlight in the future?
As criminal enterprises continue to target mobile devices as their vehicle to access company systems and data, incidents related to mobile devices will continue to grow. One of the biggest issues in addressing this problem is the constant evolution of mobile technology. CSOs will be required to allocate a growing amount of their budget to develop and maintain the resources necessary to keep pace with changes in technology and increased threats.