BYOD: Better stay used to it
BYOD is a common trend in organizations today. Businesses may be thrilled they don’t have to pay for tablets or smartphones for their workforce and don’t usually have to maintain and fix them. But businesses now have to secure all these devices and endpoints.
The problem gets larger every day. This past holiday season, sales of tablets and mobile phones went through the roof. Apple sold 21 million iPads and 75 million iPhones in the fourth quarter of last year alone. How many of these are now pounding corporate networks across the globe?
Smart companies allow BYOD as it is a productivity and morale booster, with the exception being organizations with intense security profiles. Many even have employees use their own machines as their primary work device, raising the security bar.
One benefit is end users can blend the best of work and truly personal computing, having access to their own apps, contacts and communication. That alone creates risks, especially data leakage. And years of effort to standardize hardware and software platforms can go down the drain, much to IT dismay. Where an organization might have had a pure iOS eco-system, it is now likely to have devices that run Windows, Android, Ubuntu or even legacy systems such as Symbian.
There are three main approaches to securing BYOD: IT policy, training and technical solutions.
BYOD raises several issues. Often IT is called on to solve problems with unfamiliar hardware and software despite restrictive support policies. And there can be productivity issues when workers are spending time on personal matters, playing games, or updating their social networking sites on their mobile devices.
The first approach is to have a defined and detailed BYOD policy. This policy also informs how IT secures BYOD devices, and what types of security technology gets deployed. Any BYOD policy needs to mitigate key risks:
- Viruses and malware
- Data misuse
- Hacker access through non-work devices
- Running afoul of compliance regulations
- Support demands overwhelming help desk.
In order to draft an effective BYOD policy, key stakeholders need to be engaged in the process. For larger businesses, executives, managers, end users and IT should all be involved. The result of research, and organized discussion should be a detailed policy document.
Here are some items a BYOD policy should address. Who can use BYOD and should there be different approaches for different levels and types of users? For instance, new or lower levels users may not qualify for BYOD. There may also be a probationary period for new employees – once they’ve proven trustworthy, they can be given network access.
If your policy provides for BYOD, it is the company’s responsibility to keep it safe. All these devices are potential vectors of attack, which further highlights the several types of protection that must be installed or enhanced.
With the network now under more device stress, discovering and understanding your vulnerabilities is more critical than ever. Don’t let devices onto your network until they are identified, understood, and are attached to servers that have had vulnerabilities scanned and repaired.
Patch management is a critical part of this process. The vast majority of successful hacks are done against unpatched machines, and increasingly these attacks come from infected employee owned devices. And of course, make sure your antimalware and antivirus software up to date, and has more than one leading scanning engine.
Endpoint Security is also essential so you can discover, track and safeguard employee owned devices, and at the same time stop these devices from stealing or leaking your data.
A policy is all well and good, but means nothing if it is not followed, and it can’t be followed unless it is understood. Training should be required and the fact that is has been done documented. Key items should include password complexity and safety, encryption, data storage and backup, and device locking.
Some training is highly specific to the environment. For instance, businesses that require high levels of security might dictate that no audio, photo or video recording is enabled. Users must be trained that this kind of activity is restricted. They may also have to eschew using insecure tunnels or peer to peer networks, or changing their security settings without IT guidance.
Social engineering is a key way hackers use BYOD to get your company’s data. The bad guys may pretend to be from the carrier or device maker and ask for access. Any company data on the device is fair game. End users should know to spot and thwart social engineering attempts.
The same risks arise when devices are lost or stolen. Users should know how to physically protect these devices, and notify IT if they are missing so company data can be erased remotely.
With the proper steps taken, BYOD can bring enhanced productivity and morale, with a minimum of risk.
1. Only known and approved devices are allowed on the network.
2. BYOD passwords must be as strong as those for company-owned devices.
3. IT must be alerted in the event a device is stolen, lost or compromised.
5. IT should have the right and the ability to wipe the device of company data if there is a breach, loss of device, or if the employee leaves for whatever reason.