On today’s information technology landscape, one thing is glaringly obvious: Bring Your Own Device (BYOD) is an inescapable concern for IT managers at every company. Security concerns associated with employees bringing personal devices onto the corporate network — both internal and external — are keeping IT managers up at night.
The “consumerization” of IT is having an enormous impact on IT security. No matter the size of the company, from SMBs to large enterprises to highly regulated government entities, BYOD is affecting everyone, is here to stay and needs to be confronted head-on. While there are many options and solutions available to tackle specific problems, there are three central issues that companies must face in order to minimize or even eliminate the risks created by BYOD.
A Plethora of Devices
First is the fact that there are so many different devices being brought within a company’s four walls and potentially accessing the corporate network. The BYOD movement is being driven by tablet platforms, iPhones, iPads, Android and Windows phones — and more enterprises are allowing “non-standardized” devices to attach to the network.
Sixty-seven percent of respondents allowed employee access to email and storage over employee owned devices, the Information Week Analytics 2011 End User Device Management Survey found.
There was a significant increase in the amount of business content stored or shared on employee-owned devices, the survey also revealed.
The latest device invading the enterprise? The iPad. Apple reported record pre-orders for its latest iPad, which hit shelves in March. Analysts even raised their iPad unit estimate to 65.6 million for 2012, and to 90.6 million for 2013.
Across the different types of mobile devices, smartphone adoption in particular is happening at a staggering pace. Nearly a billion smart devices shipped last year, IDC estimated, and the projection called for device shipments increasing to double that rate by 2016. With each new device entering the market, there is a completely new environment that IT staff must learn — often after the connection to the network has been made.
The second issue that companies must address is policy enforcement. It is not enough to print out the security policy and tack it to the wall in the office cafeteria. Only 33 percent of respondents use software to enforce a unified security policy, the Information Week 2011 Strategic Security Survey showed. IT staffers may not have administrative control over every device, but they must know how to be able to control devices and keep policies active, even without control of the physical device.
Considering the explosive growth of mobile devices, enforcing policy is a central concern for the IT security staff in the face of escalating privacy regulations, potential public embarrassment and disclosure costs. Removable device control, protection and management are critical.
The third issue is data leakage. Every mobile device is capable of holding massive amounts of data. Mobile devices on the network can be filled with corporate data, and then can turn around and walk out of the company — right through the front door — in the pocket of an employee. Missing devices caused 42 percent of security breaches, according to the 2012 Ponemon Institute National Study of Data Loss Breaches.
While these issues are a hotbed of concern, several assumptions kept front of mind can go a long way toward securing corporate data. Following are five assumptions and strategies to solve security problems that IT professionals are facing with BYOD’s threat to corporate data, user identities and intellectual property.
- the worst! Don’t hire a penetration tester. Save your money and assume “they” will get in — 75 percent of organizations have suffered data loss from negligent or malicious insiders.
- employees will use their personal devices on the corporate network, even if they are told not to. More than 50 percent of employees use portable devices to take confidential data out of their companies every day. Before you end up with a problem on your hands, use products that are available today to block the ones you’re not willing to have around, whitelist the ones you feel comfortable with, and where data is critical, both encrypt it and audit its movement.
- that your employees value convenience more than security. If a security policy is overly cumbersome or inconvenient, employees will find a way around it. Don’t underestimate the ingenuity of employees looking to circumvent procedures that slow them down. So, make the easy path the safe path. The last thing you want to do is prevent use of all personal devices: Soon users will find a workaround, like using phones to take pictures of documents to allow work at home. If you try to control too much, the initial problem slips through fingers and creates a much bigger problem.
- that flash drives will be lost and IT will never know. Losing a US$10 flash drive can be even worse than losing a laptop. Stolen or lost laptops are reported — $10 flash drives are quietly replaced. Missing devices cause 42 percent of security breaches, according to the Ponemon Institute National Study of Data Loss Breaches in 2010. Use encrypted flash drives or don’t use them at all. Right now, only 35 percent of companies enforce data encryption on company-issued devices.
- that an organization’s first and last defense against a security breach is its own employees. Training employees on good security practices offers the most bang for the buck. Negligent employees cause 16 percent of security breaches, according to the Ponemon Institute National Study of Data Loss Breaches in 2010. Everyone should learn how to recognize phishing attacks and fake antivirus software advertisements. If it looks too good to be true, it really is. Also, oftentimes the most obvious ways to protect are the best ways. Everyone should have strong passwords that only they know on their devices. The most popular password in 2011 was “password,” according to research done by SplashData. That certainly is not a formidable protective shield for securing sensitive corporate data.
In order to embrace BYOD, security policies should be formulated based on these assumptions. IT security staff need to implement policies, and provide secure devices and management solutions that make the easy path the secure path. Taking advantage of the brave new world of user mobility doesn’t have to mean losing control.
I AM surprised you didn’t mention Tigertext in you security section, in our small hospital it has allowed us to maintain HIPAA compliance. At the hospital I work at, we have the burden of meeting HIPAA requirements, particularly since many doctors send and receive patient info via text messaging on thier BYOD phones.
This opens the hospital to HIPAA related lawsuit if the doctor loses thier phone or it is hacked.
In order to deal with the issue, we got the doctors to use Tigertext, which deletes the text messages after a period of time, making it HIPAA compliant.
I don’t know if this is the best solution for everyone, but it was an easy and cost effective way to deal with this issue.
The BYOD issues that IT departments are dealing with are only going to become more complex in the future.
I also found this article on BYOD that adds to your article with some additional charts and findings: