Addressing security-related concerns in a BYOD era
The concept of Bring-Your-Own-Device (BYOD) has gained traction over the past few years. BYOD can be defined as using employee-owned mobile devices such as smartphones and tablets to access business enterprise content or networks.
Needless to say, a number of enterprises have jumped onto the BYOD bandwagon, fuelled by the various benefits it offers. According to industry analysts, an effective BYOD strategy can lead to a number of benefits for enterprises, including enhanced employee job satisfaction, increased job efficiency and flexibility. BYOD can also provide cost savings from initial device purchase to on-going usage and IT helpdesk support as employees invest in their own devices. From a larger perspective, it can even result in higher recruiting acceptance rates.
BYOD and security
However, permitting employees to use their own, personal devices to access their company’s (often) confidential data gives rise to several issues. According to Ernst & Young, BYOD significantly impacts a company’s traditional security model of protecting the perimeter of the IT organization by blurring the definition of that perimeter, both in terms of physical location and in asset ownership. In this context, therefore, it becomes imperative for an organization to “define” certain guidelines and security measures to strike a balance between an employee’s requirements and their own security-related issues.
Identifying the BYOD security risk
According to Ernst & Young, the issues pertaining to the deployment of BYOD can be classified under three heads:
- The enterprise’s risk profile: This essentially entails examining how the enterprise defines potential “risks”. This in turn helps define the policies the enterprise would deploy to counter the same.
- How the mobile device is being used: The enterprise ought to examine how the data is being used, what functions it serves. Needless to say, the more critical the function, the greater number of controls on the device.
- Where the devices are being used: Typically, the security threats are greater when the device is being used internationally. This is not merely owing to “where” the devices are being used, but also due to often unclear and regionally applicable legislation in certain geographic areas.
Measures to counter potential BYOD-related security risks
Ensuring the mobile devices deployed are secure
The first step for any enterprise is to chalk out well-defined guidelines pertaining to the usage of mobile devices. This, ideally, ought to be based on an understanding of different user types and a clearly defined set of user segments.
Broadly, a mobile device can be secured by
- Implementing a mobile data management policy
- Establishing a security baseline
- Introducing stringent authentication and access controls
- Installing mobile updates
- Limiting the use of jail-broken devices
- Enforcing passwords
Ensuring mobile applications are secure
Using unsecure mobile applications typically gives rise to two primary security threats-malicious applications and the vulnerabilities of the application itself. In this context, viable counter-measures include:
- Using mobile anti-virus programmes
- Assessing the need to implement new applications
- Managing applications via an in-house application store
- Blocking unknown third party access to the mobile applications
Managing the overall mobile ecosystem
Broadly, implementing a BYOD policy increases the enterprise’s efforts pertaining to maintaining an inventory of the existing mobile devices and keeping the said devices’ operating systems updated. In this context, the following measures can be taken to protect the devices:
- Identifying an appropriate BYOD policy
- Implementing a self-service portal or resource for employees
Net, net, implementing an effective and updated BYOD policy is essential for any enterprise to prepare itself to grapple with any security-related challenges.