Allowing employees to use their own smartphones and tablet PCs for work is proving increasingly popular, encouraged by the promise of worker satisfaction and higher productivity. But it places new demands on the management of mobile data and communications platforms, and demands that IT managers look hard at their existing security policies.
"BYOD is another battle in the war between security and usability," says security appliance provider Fortinet in its Enabling Secure BYOD report. "End users from the CEO down to line workers want the ability to use personal devices for work purposes, their belief being that personal devices are more powerful, flexible, and usable than those offered by corporate.
"On the opposite side of this discussion is security. BYOD opens up numerous challenges around network, data, and device security along with blurring the lines of privacy and accessibility. Many organizations have tried a variety of approaches to allow for BYOD in their organizations, with limited success."
The scale of the issue is made clear in Symantec's 2012 State of Information Report, which reveals that 46% of business information is now stored outside firewalls, and if it is not on mobile devices, it is often accessed through smartphones and tablets. Globally, 28% of business information is accessed through these devices.
There a strong view that BYOD activity can deliver a competitive advantage, but CIOs and IT managers need to tread carefully to ensure their businesses do not have their security integrity compromised. The main security challenges include:
•educating users to maintain high levels of security when using their devices;
•working out how established IT and security policies can be applied to the BYOD environment;
•the implications of losing devices with highly sensitive information;
•responding to malicious attacks on devices, which are on the increase as hackers realise that valuable data could be saved to a smartphone or tablet;
•whether access to online content will be allowed or filtered;
•how BYOD devices will be protected when used in remote Wi-Fi environments;
•ensuring that apps used on the devices do not compromise security systems;
•deciding which operating systems are to be allowed within a BYOD environment. This will determine the security protocols and future patches that will be needed;
•maintaining an accurate inventory, as employees may replace their devices yearly or even over shorter time frames.
IT managers and CIOs need to look at how their existing security policies can be amended to maintain high levels of data security with BYOD. A policy can be modified in several ways:
1.A virtual desktop infrastructure (VDI) can be used to allow BYOD devices to securely access business servers without any cross-pollination of data that could include malicious code.
2.Decisions should be made on the level of access that devices will have to a corporate network. Businesses want to allow BYOD, but limits should be set and communicated to users.
3.The storage of sensitive data on personal devices can be allowed, but within limits set after consultation across users to strike a balance between day-to-day needs for data access, and the overall business security policy that includes compliance with data protection regulations.
4.Mobile device management (MDM) may at first glance seem to be the solution to security issues, but IT managers and CIOs should look closely at how MDM can be used to control a device environment that includes BYOD.
5.It is important to maintain endpoint security within a BYOD environment. Remote wiping of data, and on-board anti-virus protection become essential, as it is easy for an infection to spread from a user's home network.
6.Using a private cloud environment to protect BYOD users and provide a single management console for IT managers should also be considered.
Getting to grips
There is evidence that many IT managers have not yet got to grips with BYOD security. Research by system engineering company Decisive Analytics revealed that 83% of the companies questioned require employees to install software to secure and manage their personal devices when used for work purposes. The reasons given by those that did not included: "We only allow trusted users to connect to the network," (25.7%); and "We are not concerned about security on these devices," (15.6%).
Some said they had not had a security software solution (13.8%) or were still researching one (12.8%), while other reasons were user rejection (11%), perceived high cost (10%), and perceived complexity (3.7%).
Business security policies tend to be rooted in traditional desktop deployments, with notebook VPNs providing robust security for employees who work remotely. But the rapid expansion of BYOD has opened a whole new set of security challenges, and there has to be a balance between employers' needs to prevent disruption to business and compliance with data protection regulations, and ease of use of devices for employees.
CIOs and IT managers need to think through how their businesses are integrating BYOD into overall security systems. In most cases change will have to be made now to ensure data security is maintained. But the real challenge is that the BYOD layer is continuously changing.
Security vendors are slowly getting to grips with this brave new world, but until security platforms specifically for BYOD are available, existing systems will have to provide some level of security when these devices are used. It's likely that a hybrid approach that uses the private cloud, installed security apps and MDM will deliver a robust set of security tools that CIOs and IT managers can comfortably roll out across their organisations.