In its 'Enabling Secure BYOD' report Fortinet states: "BYOD is another battle in the war between security and usability. End users from the CEO down to line workers want the ability to use personal devices for work purposes, their belief being that personal devices are more powerful, flexible, and usable than those offered by corporate."
Business owners need to look at how their existing security policies can be amended to ensure the high levels of data security their organisations enjoy can be maintained when BYOD devices are used. Modifications to a security policy can include:
- The use of VDI (Virtual Desktop Infrastructure) to allow BYOD devices to securely access business servers without any cross-pollination of data that could include malicious code
- A decision as to the level of access that BYOD devices will have to a corporate network. Businesses want to allow BYOD, but limits should be set and communicated to BYOD users
- The storage and transportation of sensitive data on personal devices can be allowed, but within certain limits set after consultation across users to ensure a balance can be struck between day-to-day needs for data access, and the overall business security policy that includes compliance with data protection regulations
- Mobile Device Management may at first glance seem to be the solution to BYOD security issues, but IT managers and CIOs should look closely at how MDM can be used to control a device environment that includes BYOD
- Endpoint security becomes even more important to maintain within a BYOD environment. Remote wiping of data, and on-board antivirus protection become essential, as infection can easily occur via a user's home network that their device will connect to
- Using a private cloud environment to protect BYOD users and provide a single management console for IT managers should be considered
BYOD security is clearly an area that small businesses in particular have yet to fully get to grips with. Research by Decisive Analytics stated: "Most companies (83%) require employees to install software to secure and manage their personal devices when used for work purposes. We asked the companies that do not require security software why they did not require it.
"Surprisingly, the most common responses were: 'We only allow trusted users to connect to the network' (25.7%), and 'We are not concerned about security on these devices' (15.6%). Some say they have not had a security software solution (13.8%) or are still researching a security solution (12.8%). User rejection (11%), perceived high cost (10%), and perceived complexity (3.7%) were less frequently mentioned."
The rapid expansion of BYOD has run ahead of business security policies that tend to be rooted in traditional desktop deployments, with notebook VPNs providing robust security for employees that do work remotely.
Staying in control
For small businesses in particular the convergence of technologies that has culminated in the phenomenon we know as BYOD needs to be controlled as it expands across their organisations.
James Lyne, global head of security research at Sophos told techradar pro:
"For some time now I've predicted the coalescence of mobile and traditional computing platforms, as they grow to have more similar application models and use cases. We are at a very interesting point in security where there are a wide range of new devices being deployed – from mobile to Internet of Things.
He continued: "So far many of these devices have been found lacking by security researchers but few have been the focus of cybercriminals, I suspect as they hold less interesting data than the traditional computing device. It could be a very short time indeed until that changes, leading attackers to focus on technologies that have a significantly weaker security infrastructure.
"Ultimately, small businesses need to make sure they work with a security provider that can protect them at every point appropriately and can continue to do so as new devices enter their networks."
How much control your business has over the mobile devices it uses in and outside of the office environment is also a pressing question that needs to be answered
Nassar Hussain, Managing Director for Europe and South Africa at SOTI advises: "Locking everything down will only prove counter-productive. Employees need flexibility to use their mobile devices in ways that accelerate their productivity, but there are some basic security policies that need to be implemented to protect small business data and the networks those devices have access to.
"If the correct procedures and prevention mechanisms are put in place to address mobile security concerns, and you have employees exercising best practices and open communication between the user and the business' security expectations, you will see a lot of potential threats being avoided."
Managing the mobile technologies that now proliferate across your business needs planning to understand how these devices are being used. With this information you can develop a detailed policy that enables your business to use these technologies safely and reap the rewards that they clearly offer.