BYOD Security

BYOD in the Enterprise

Mobile devices of all shapes, sizes and capabilities dominate the work environment today. While business has long recognized the potential issues allowing employees to use their own devices bring to network or intranet security, the reality is that these are issues that are not going away. According to the IDC, by 2020 72.3% of the US workforce is expected to be using their own mobile devices in the work environment. That means understanding the challenges BYOD (Bring Your Own Device) implementations bring, and the solutions that go with them, are crucial for business moving forward.

When discussing BYOD challenges, it is important that we start with the basics. In general, we are discussing notebooks and laptops, tablets and smartphones, and there are four specific challenges that using personal devices on a corporate network or intranet bring. These are:

  • Security
  • Privacy
  • Usability
  • Legality

Security

We start with the most obvious issue with a BYOD policy, security. There are multiple points of weakness that BYOD introduces into a corporate system. The first is device ownership, knowing who is actually using the device. This is particularly pertinent for remote employees who may be accessing network assets at unusual times as a matter of course. The second is the devices themselves. Devices being lost or stolen tie back into the first threat, but more than that, personal devices can be compromised by downloading the wrong app, and that has the potential to allow access to the entire network and its data. Finally, secure connection to the network is crucial to maintain integrity, however, with BYOD models, users could be accessing the network from all kinds of local connections.

Mitigating these risks is essential. Luckily, there is a solution that centralizes risk control and adds security. Mobile device management solutions provide both data encryption to maintain secure connectivity, as well as an isolated and secure environment on the device for work related tasks. This environment not only adds the highest levels of encryption to work data, but also protects the work space from intrusion by other apps that the user may have installed into their private space.

In addition, the mobile device management solution can also ensure work related apps or other tools can be updated and rolled out centrally, ensuring a consistent environment for all users, even across multiple platforms. This centralized control also allows system admins to deny service for any device that is reported lost or stolen quickly, minimizing the risk from those situations.

Privacy

For both the organization and the individual user, BYOD models bring potential issues with privacy. The use of mobile device management, that separates personal and commercial data, does go some way to mitigate the issue of personal data being accessed by others, however, the organization still faces risks. Devices can theoretically access corporate data from anywhere, and in any environment, which opens up certain privacy risks that are difficult to avoid.

However, by drawing up properly defined user agreements for all BYOD users, the limitations of access and use of data can be adequately defined. In combination with a mobile device management solution that reports access location data, it is possible to police user agreements and maintain the integrity of systems and data.

Usability

Even on a network where every device is commissioned and centrally controlled by an admin team, users encounter difficulty and require support. This becomes even more essential in a BYOD solution, as it introduces multiple platforms and operating systems to the equation, increasing the number of issues users face. In addition, with users accessing systems from multiple locations and situations, the potential for user problems rises exponentially.

There are two ways of minimizing the issues, again the mobile device management environment can provide a uniform user experience that enables some level of standardized support. This support can include centralized management, which is also able to handle updates and new software rollout for all users.

In addition, the support structure will still have to deal with an increased number of issues, and the capacity for this should be in place before any BYOD policy is enacted. An enlarged support team with the capability to deal with the expected support requirements is a crucial part of BYOD planning. Support services are always going to be required, planning for those needs helps mitigate any potential rollout problems.

Legality

Finally, there are risks that involve the legal structure of the business and the employee/employer relationship. These kinds of challenges depend on the precise structure of the organization, and in particular, local labor laws that are applicable to the organization’s operational activities.

A good example of this is something like the Working Time Directive Rule in place within the EU, which restricts the number of hours a worker can be compelled to work per week. Remote workers based in the EU but working for US based companies, or other regions where the law does not apply, could fall foul of such legislation with workers accessing corporate data for longer hours.

Another situation where legal issues may come into effect are where industry restrictions apply. For instance, health care or aspects of the financial industry are covered by very strict legislation regarding how, who and where data can be accessed, and compliance with those restrictions must be maintained across the entire organization.

The key here is understanding where legislation has the potential for breaches in advance, and to ensure that the user policy is drafted to maintain legal continuity. This could be as simple as an access restriction to prevent excess hours worked, or a more complex process to maintain regulatory compliance for a given industry. In either case, before a BYOD policy is rolled out, stringent risk assessment must be carried out to identify these legal issues prior to the deployment of BYOD.

Conclusion

As with any IT project undertaken across any enterprise, preparation, adequate risk assessment and implementation of appropriate policy is essential when deploying any kind of BYOD solution. Because this approach brings so many variables, types of devices, software platforms, users and connectivity, the risks involved can never be entirely mitigated. However, with appropriate centralized management, separation of personal and work data including encryption, adequate planning and effective policy, BYOD can see smooth implementation for all users.