Strong Policies A Must For BYOD
More and more organizations are opening up their networks with invitations that say BYOD (bring your own device) and seeing everything from iPads to the latest Android gadget walk in their doors.
And no one can deny that this trend is accelerating rapidly without any clear sign of stopping. According to a December 2011 Forrester Report, half of all US information workers pay for their smartphones and monthly plans, while three-quarters pick the platform of their choice rather than accept an IT standard issue device.
For organizations, particularly larger enterprises with sufficient IT staff and security infrastructure—the dearth of personal devices in the work environment paves the way for untold efficiencies and increased productivity, not to mention lowered carrier costs. In short, workers can answer e-mail, upload information on file shares and update Websites from the commuter train, from the beach condo and at their kids' soccer games—often on their dime.
Sounds like a win-win? Well, here's the dilemma—while everyone wants to be more efficient, surprisingly few organizations have policies in place to adequately secure the influx of mobile devices being introduced into the workplace.
“These are the devices that people don't let go of,” says Patrick Bedwell, Fortinet vice president of product marketing. “It's a great way to make people more effective. But without a policy or controls in place, IT organizations are just saying 'no.'”
And with good reason. Generally, users' mobile devices are devoid of the most basic security features—such as antivirus and password protection—incorporated in pretty much all workplace PCs. Meanwhile, the agility enabled by personal devices means that business critical apps can, and will, be accessed from any network in any location.
“You'd be shocked at the amount of sensitive data on their mobile devices,” says Bedwell. “And they're accessing the corporate network from outside the perimeter. They're exposing the device to a lot more risk in terms of the Internet. These devices don't have much protection, but they're storing very valuable data online.”
So what's the answer? Here are a few suggestions that will provide some peace of mind for organizations:
Implement A Relevant Mobile Policy: It's simple Policy 101. Most organizations should take the time to really assess their goals and determine relevant threats to the network. (e.g. malicious Websites? Data loss? Productivity loss? Excessive bandwidth usage?) And more importantly, how should policies be enforced?
“It's silly to pass a policy and realize that they haven't done their due diligence,” Bedwell says.
Remote Management Software: It seems like a no-brainer--being able to apply a slew of basic security functions, such as antivirus or remote data wiping software, to any device housing corporate data. Likewise, remote management software gives IT the ability to automatically update users' devices with the latest patches to prevent any existing vulnerabilities from being exploited in mobile attacks.
Blocking Non-Compliant Devices: This is where organizations can practice the art of compromise. Often workers are eager to use their personal devices for work but reluctant to install additional software—some of which might have the potential to wipe their valuable contacts and photos from their phone. As a compromise, organizations could allow their workers to use their own devices IF they agree to install certain apps in accordance with the organization's security policy. If not, then the workers can stick with an IT-issued device.
“The problems with BYOD is that devices aren't issued by the company. It may be difficult for employees to agree to put on remote management software or antivirus software. But there has to be some kind of tradeoff,” Bedwell says. “Organizations really have to get ahead of the curve. BYOD is here to stay.”