Mitigating the Security Risks in BYOD

Date:   Thursday , June 30, 2016

Headquartered in Bengaluru, Happiest Minds enables the customers to build smart, secure and connected experience by leveraging technologies like mobility, analytics, security, cloud computing, social computing and unified communications.

As a part of the rise of consumerism of IT, there is a growing trend across organizations and industries - BYOD or Bring Your Own Device. Organizations have started allowing employees to work on devices they choose to as long as productivity increases. In this way, employees remain satisfied and costs for businesses are reduced. In today\'s work environment, it is perfectly okay to check and respond to official emails on a personal mobile/smartphone. BYOD culture encompasses BYOT - Bring Your Own Technology, BYOP - Bring Your Own Phone and BYOPC - Bring Your Own PC initiatives.

While enterprise BYOD adoption rates vary depending on the industry and geographical regions they operate in, the widespread usage of consumer smartphones, tablets and smartwatches are here to stay. BYOD is an attractive business model in the current economic environment as it allows employee satisfaction in terms of flexible working hours (employees prefer to use both corporate provided devices and their own), increased productivity and reduction of cost to the company. However, BYOD has a dark side too. It has a noteworthy impact on the traditional IT model; protecting the perimeter of threat attacks is now blurred, both in terms of physical location and asset ownership. The hardest hits are small and medium organizations who cannot afford in-house resources and knowledge to mitigate these challenges.

Each organization needs to ask themselves the few basic questions while allowing BYOD:

- Which type of corporate data can be processed on personal devices?
- How to encrypt and secure access to corporate data?
- Ways of storing corporate data on personal devices.
- How and when the corporate data should be deleted from personal devices when a resource resigns/takes up another job?
- How the data should be transferred from the personal device to the company servers?

Unless there is an effective BYOD strategy, it can threaten IT security and put a company\'s sensitive business systems at risk. Prohibiting personal devices altogether does not solve the issues that BYOD has given rise to; employees end up using their own devices unmonitored, thus posing bigger threats to the data security landscape.

An effective BYOD strategy can actually lead to significant benefits for the business. However, an employer while seeking to implement a solution must identify business benefits and objectives as well as take into account security, audit and data protection requirements. A multidisciplinary team should be formed to develop a coordinated BYOD policy, including IT, HR and legal.

Potential Risks:

BYOD risks are both simple and complex at the same time. Whatever one chooses to think of it and however they choose to implement it, IT should treat it similar to introduction of any new technology with controlled deployment. Enforcing them without affecting productivity is a tough balancing act. Most experts agree that the first step is to access potential risks and weigh them against the organization\'s current security policies.

The risk landscape of BYOD deployment can be broadly divided into the following three categories:

Organization\'s Risk Profile: How a particular organization defines and treats risk scenarios are important while choosing the type of security controls.

Geographical Deployment of the Device: International deployment increases risk levels. Not just geographical distribution of devices but areas/countries with rigorous legislation can affect legalities involved to stay compliant.

Current & Future Mobile Use Cases: Considerable focus is needed to understand types of data and functionality that get exposed through deployment. There is no \'one size fits all\' in this case.

The top BYOD security concerns can be summed up as below:

Loss of Company or Client Data/Data Leakage: As workers become more dependent on mobile devices, floodgates of data theft opens up. Mobiles and tablets are one of the weakest links in the security chain. They require regular patch updates and this responsibility lies with the user. To combat the issue, organizations need to use acceptable policies and procedures that clearly define boundaries and consequences, should it be breached.

Unauthorized Access to Confidential Information: This is one of the most obvious security challenges of BYOD - balancing corporate (and thus confidential) and personal data on the same device. Besides, hackers record login and password credentials. While OTP (One Time Password) can be effective in handling this, for a holistic solution, investing in EMM (Enterprise Mobility Management) software can mitigate risks.

Users Downloading App/Content with Embedded Security Risks: Employees download mobile apps and connect to Wi-Fi spots without a proper security protocol. If checked, it will reveal that majority of personal devices have privacy issues and lack proper data encryption, allowing hackers an easy passage. To prevent this, VPN is a good option; it grants access by verifying that the data being transferred from the mobile device to the IT network is encrypted and allowed.

Lost or Stolen Devices: This is the biggest risk involved. Once the device is stolen and unless the device was encrypted as part of company policy, it is handing over information to every unauthorized user out there. Implementing remote wiping capabilities as soon as a device is reported stolen or missing without waiting for a formal approval from the user can give the IT department some sense of control in such scenarios.

How can organizations keep data secure in the rising BYOD trend?

Employee\'s Devices: Invest in mobile device management solutions, evaluate device usage scenarios, introduce stringent authentication parameters and enforce industry standard security policies.

Countering App Risks: Enforce a mobile anti-virus program, manage apps, ensure security processes cover mobile apps and continue to access the necessity of new apps.

Managing Support for BYOD: Create a proper support structure for BYOD, revamp existing support processes, inform and educate employees to patch and implement knowledge base self-support system for employees.

Although BYOD has risks involved, it can reduce costs and increase productivity if managed properly. Employees must be educated to protect their devices. Introduction of a flexible and scalable policy and regular testing of personal devices used in an office environment can go a long way in bridging the gap between the increased usage of personal devices accessing company network and security concern rising out of that.