The trend for Bring Your Own Device (BYOD) is accelerating. Increasingly, workers are using their own devices for work. In the case of smartphones, they are even paying for their own monthly plans. As a result, more organisations are opening up their networks to non-corporate devices and are seeing everything from employees’ iPads to the latest Android gadget walk through their doors.
The proliferation of personal devices in the work environment paves the way for untold efficiencies and increased productivity, not to mention lowered carrier costs. Studies have found that employees are happier and more efficient when they use devices and applications of their choice for work.
However, surprisingly few firms have policies in place to adequately secure the influx of mobile devices entering the workplace. Without these policies, many have no choice but to say no to the devices, and consequently to greater productivity and higher cost savings.
An independent survey of 300 mid to large enterprise IT decision makers in Europe, commissioned by global security specialists Fortinet, found that 60% of respondents are concerned about their ability to secure corporate data in this new user-led IT environment. Most companies are not confident of, or do not have the means to secure personal mobile devices and 66% of respondents say they only allow the use of corporate devices onto which security policies can be enforced. While 21% of enterprises place responsibility for securing personal mobile endpoints directly with the owners of those devices − a dangerous practice.
It is easy to understand an enterprise’s reluctance to embrace employee-owned devices. Generally, these devices are devoid of the most basic security features incorporated in practically all workplace PCs. Meanwhile, the agility enabled by personal devices means that business critical apps will be accessed from any network in any location, leaving a staggering amount of sensitive data on the devices, whose exposure could be highly detrimental to the business.
However, it’s getting tougher for firms to say no to BYOD. So what’s the answer to managing the security challenges? Here are three IT measures that would provide some peace of mind for organisations:
Implement A Relevant Mobile Policy:
Organisations should take time to assess their goals and determine relevant threats to the network (e.g. malicious websites, productivity loss, excessive bandwidth usage). Key questions to ponder are:
- What applications are required, and which are not permitted?
- Which employees will be allowed to use these devices?
- Who has network access based on who, what, where and when?
Companies should also control access based on the need-to-know, and conduct continuous vulnerability assessments. And they need to enforce the policies they have laid down.
Remote Management Software:
It’s important to be able to apply the range of basic security functions such as antivirus or remote data wiping software to any device housing corporate data. Remote management software gives IT the ability to automatically update users’ devices with the latest patches to prevent any existing vulnerabilities from being exploited. Firms should implement centralised remote locate, track, lock, wipe, backup and restore facilities so they can protect, retrieve and restore corporate data on lost or stolen mobile devices.
Blocking Non-Compliant Devices:
Workers are often eager to use their personal devices for work but reluctant to install additional software − some of which might have the potential to wipe their personal data from their phone, tablet or laptop. As a compromise, firms could allow their workers to use their own devices IF they agree to install certain apps in accordance with the organisation’s security policy. An alternative solution could be the use of dual persona phones that have two logical partitions – one for professional and the other for personal usage, with IT having complete control over the professional partition.
Ultimately, in order to effectively protect their corporate networks and data from potential threats from mobile devices, organisations must handle the security issue at the network level rather than at endpoint level. However, it is very difficult to protect individual phones and tablets by using security agents. Mobile devices often do not have enough computing power and there are too many types of OS and devices to maintain up–to-date agents. User-wise, it is very difficult to enforce the installation of security software on personal devices that employees bring at work.
The only effective solution is to make sure that the core network is protected and that the enterprise can control both inbound and outbound access to the corporate network from external devices. This network security strategy requires strong control over users and applications on top of device management. It requires IT organisations to have the power to detect and control the use of applications on their networks and endpoints based on application classification, behavioural analysis and end-user association, and to detect and control web-based applications at a granular level, including inspecting encrypted application traffic, regardless of ports and protocols used.
Organisations need to put in a fair amount of effort to adapt and switch to a new way of supporting their employees, but there is no alternative − BYOD is here to stay and IT managers just have to get ahead of the curve.
By Mark Hyland, UK Country Manager, Fortinet