Bring Your Own Security: Protecting business data on every device

Does your business allow its employees to use their own phones and tablets at work? The so-called BYOD (Bring Your Own Device) and now WYOD (Wear Your Own Device) trend has continued to expand, as employees use their personal devices for work and play. Gartner predicts that by 2018, 70% of workers will be using personal smart devices at work.

What this has meant for business owners is a revisiting of their security policies and the protocols in use to ensure these devices and the information they contain are always secure. This is vital, as Kaspersky Labs has already identified 150,000 pieces of mobile malware which can compromise smartphones.

Gartner comments: "BYOD does increase risks and changes expectations for CIOs (Chief Information Officers). Unsurprisingly, security is the top concern for BYOD. The risk of data leakage on mobile platforms is particularly acute.

"Some mobile devices are designed to share data in the cloud and have no general purpose file system for applications to share, increasing the potential for data to be easily duplicated between applications and moved between applications and the cloud."

There are a number of issues to be considered when managing the security of BYOD across your organisation including:

1. No policy regarding the downloading and installation of apps

There are now millions of apps to choose from. Having no policy regarding which apps can and can't be installed opens any device to potential attacks from malware. Create a blacklist of apps which employees should never install on their phones.

2. Privacy versus monitoring

The ability of every mobile device to be tracked can raise privacy issues where BYOD is concerned. Few employees will wish their location to be tracked and monitored when not at work. However, businesses need to know where each device is, with geofencing setting parameters that state the device will only be monitored during office hours.

3. Monitor business usage

As a device could be used for personal and business calls and data exchange, it's important to track usage to ensure costs to the business are allocated correctly. This includes when the devices are used overseas to avoid excessive roaming charges.

4. Choice of device

The whole philosophy behind BYOD is that workers can choose their own device to use. However, security policy must dictate that this can't include jail-broken phones for instance or any other device that has not been authorised. Your security policy should include a list of devices that are approved.

5. Information is security

A security policy that isn't clearly communicated is of little use. Train your staff to ensure they are aware of their responsibilities under your BYOD security policy. And this isn't a setup and forget exercise. Monitor how BYOD develops across your business and modify your security policy accordingly.

These are the biggest security concerns when it comes to BYOD

These are the biggest security concerns when it comes to BYOD (Source: Information Security Community on LinkedIn)

In its BYOD security report [PDF], EY advises: "The risk of the device itself should be assessed as a part of the company's risk assessment framework. In some organisations a tiered device architecture may be viable to deal with varying degrees of risks tied to job functions.

"For instance, devices that are being used to present sensitive financial data to the board through a custom app will invariably be more sensitive to theft or accidental loss than a mobile device with access to calendar and email updates."

Intelligent defence

Now that your business has entered the post-PC era, ensuring every device used by your employees has adequate levels of security is vital. What's more, as workforces continue to become mobile and geographically dispersed, the use of mobile devices will expand.

Security policies must take account of this expansion, yet enable workers to use the same device in their private lives, as well as at work.

IT managers and CIOs need to look at how their existing security policies can be amended to maintain high levels of data security with BYOD. A policy can be modified in several ways:

  • A virtual desktop infrastructure (VDI) can be used to allow BYOD devices to securely access business servers without any cross-pollination of data that could include malicious code.
  • Decisions should be made on the level of access that devices will have to a corporate network. Businesses want to allow BYOD, but limits should be set and communicated to users.
  • The storage of sensitive data on personal devices can be allowed, but within limits set after consultation across users to strike a balance between day-to-day needs for data access, and the overall business security policy that includes compliance with data protection regulations.
  • Mobile device management (MDM) may at first glance seem to be the solution to security issues, but IT managers and CIOs should look closely at how MDM can be used to control a device environment that includes BYOD.
  • It is important to maintain endpoint security within a BYOD environment. Remote wiping of data, and on-board antivirus protection become essential, as it is easy for an infection to spread from a user's home network.
  • Using a private cloud environment to protect BYOD users and provide a single management console for IT managers should also be considered.

Pulse Secure further notes: "Where organisations have attempted to embrace BYOD with MDM suites or capabilities, they are often met with resistance from users that their personal devices are falling under the control of their enterprise admins.

"As such, 2015 should expect to see a shift from enterprises trying to manage and secure an entire mobile device via MDM to one of employing workspaces to secure only portions of the device that access and store corporate data.

"This shift will be an attempt to reduce tensions between enterprise admins and the personal device owners over who owns what data and what ability the enterprise has to secure data and lock and wipe devices at their discretion."