Bring Your Own Device (BYOD)
In a recent survey, 82% of companies allow some or all workers to use employee-owned devices for performing their work responsibilities. This makes a great deal of sense considering the majority of IT managers view Bring-Your-Own-Devices (BYOD) as a model to improve worker productivity. However, the 3 largest concerns from a company perspective are still in doubt and if not addressed correctly can prove to be detrimental to any organization.
- Regulatory issues
- Customization and Support
With the influx of sophistication associated with employee mobile phones and handheld devices, the inability for business email, document access over the network, and web-based intranet applications being available are no longer. While this may save organizations money initially, they risk a great deal financially when it comes to the overall security of their network assets. Praetorian Secure has compiled five items that should be considered from a security perspective for organizations (large and small) when implementing a BYOD-environment:
- Communicate the BYOD-Policy to your employees. A proper policy should outline the employee responsibilities for use of the devices, what material is viewable and capable of being modified, and how the information gathered from the devices will be used by the company.
- Ensure devices are configured securely. The overall point would be to establish a secure-baseline for all BYOD to reduce the risk of potential data loss. There are a number of quality products that would assist an organization in doing this. We recommend our partner BitzerMobile and more information about their products can be found at http://www.praetoriansecure.com/security-software-products/bitzer-mobile/.
- Audit on a regular basis. With the frantic-rate in which technology changes and business missions are modified, it is imperative to stay in-tune with the current state of your information technology environment.
- Remote access. There is a great deal of information about your company now made available to the employee via these devices. For this reason alone, knowing what data is available via BYOD is very important to the overall confidentiality of your organizations data. May be a good time to invoke some role-based access to ensure sensitive data is not being made available to certain employees.
- Account management. As with most networks, knowing who is accessing the network is important piece to the security posture you maintain. With BYOD it is no different. Regular review of organizational accounts, log files reporting access attempts, and unusual network activity should be monitored closely.
Many organizations today are faced with meeting compliance requirements external to their business operations. Mandates such as PCI-DSS, HIPAA, ISO 27001, and Sarbanes-Oxley all set-forth various IT Controls which specify certain requirements for various security features and practices. These controls primarily revolve around the need to keep specific data in-check and ensure the confidentiality and integrity of their customer’s information. Certain applications such as Dropbox, which allows for file transfer via “public” communication, can introduce a wide-assortment of privacy infringement and security breach potential. Organizations maintaining compliance initiatives must stay vigilant in both policy and practice as it pertains to BYOD, as allowing employees to use personal devices for work increases the risk that company data is lost or vulnerabilities are exploited.
Customization and Support
Introducing BYOD to your environment will require a great deal of planning from management and compromise from employees to be successful. Understanding the various devices that will be involved and supported is key to developing a strong oversight of the BYOD-landscape and secure operational environment. Implementing an effective security policy should prove to address the majority of customization and support-related issues (policy enforcement should remove/restrict certain features that could prove hazardous to company information). That said, it may make good sense to adopt a BYOD policy that fluctuates based on an employee’s position or responsibility—granting access to certain device features that may not be available for another employee in a different role.
BYOD has certainly arrived and as security practitioners we are challenged with yet another obstacle in maintaining the confidentiality, integrity, and availability of our organizational assets. Every organization will eventually face the challenge and knowing how to address it will make the transition much smoother and ultimately more secure.
Praetorian Secure has highly-skilled security engineers with demonstrated hands-on experience in dealing with the adoption of BYOD and BYOD-related concerns. Please feel free to visit our website and learn more about our Mobile Security services at http://www.praetoriansecure.com/services/mobile-security/.