How to Mitigate the Security Risks in BYOD
Date: Monday , November 14, 2016
Headquarterd in Bengaluru, Happiest Minds Technologies enables digital transformation for enterprises and technology providers by delivering excellent business efficiency with actionable insights through an integrated set of disruptive technologies.
As a part of the rise of consumerism of IT, there is a growing trend across organizations and industries -BYOD (Bring Your Own Device). Organizations have started allowing employees to work on devices they choose to as long as productivity increases, in this way, employees remain satisfied and costs are reduced. In today’s work environment, it is perfectly okay to check and respond to official emails on a personal mobile/smartphone. BYOD culture encompasses BYOT – Bring Your Own Technology, BYOP - Bring Your Own Phone and BYOPC- Bring Your Own PC initiatives.
While enterprise BYOD adoption rates vary depending on the industry and geographical regions they operate in, the widespread usage of consumer smartphones, tablets and smartwatches are here to stay. BYOD is an attractive business model in the current economic environment as it allows employee satisfaction in terms of flexible working hours (employees prefer to use both corporate provided devices and their own), increased productivity and reduction of cost to the company. However, BYOD has a dark side too. It has a noteworthy impact on the traditional IT model; protecting the perimeter of threat attacks is now blurred, both in terms of physical location and asset ownership. The hardest hits are small and medium organizations who cannot afford in-house resources and knowledge to mitigate these challenges.
Each organization needs to ask themselves the few basic questions while allowing BYOD:
Which type of corporate data can be processed on personal devices
How to encrypt and secure access to corporate data
Ways of storing corporate data on personal devices
How and when corporate data should be deleted from personal devices when a resource resigns/takes up another job
How the data should be transferred from the personal device to the company servers
Unless there is an effective BYOD strategy, it can threaten IT security and put a company\'s sensitive business systems at risk. Prohibiting personal devices altogether does not solve the issues that BYOD has given rise to; employees end up using their own devices unmonitored thus, posing bigger threats to the data security landscape.
An effective BYOD strategy can actually lead to significant benefits for the business. However, an employer while seeking to implement a solution must identify business benefits and objectives as well as take into account security, audit and data protection requirements. A multidisciplinary team should be formed to develop a coordinated BYOD policy, including IT, human resources and legal.
BYOD risks are both simple and complex at the same time. Whatever one chooses to think of it and however they choose to implement it, IT should treat it similar to introduction of any new technology with controlled deployment. Enforcing them without affecting productivity is a tough balancing act. Most experts agree that the first step is to access potential risks and weigh them against the organization’s current security policies.
The risk landscape of BYOD deployment can be broadly divided in the following three categories:
Organization’s Risk Profile: How a particular organization defines and treats risk scenarios are important while choosing the type of security controls.
Geographical Deployment of the Device: International deployment increases risk levels. Not just geographical distribution of devices but areas/countries with rigorous legislation can affect legalities involved to stay compliant.
Current & Future Mobile Use Cases: Considerable focus needed to understand types of data and functionality that get exposed through deployment. There is no ‘one size fits all’ in this case.
The top BYOD security concerns can be summed up as below:
Data leakage: As workers become more dependent on mobile devices, floodgates of data theft opens up. Mobiles and tablets are one of the weakest links in the security chain. They require regular patch updates and this responsibility lies with the user. To combat the issue, organizations need to use acceptable policies and procedures that clearly define boundaries and consequences, should it be breached.
Unauthorized Access to Confidential Information: This is one of the most obvious security challenges of BYOD, balancing corporate (and thus confidential) and personal data on the same device. Besides, hackers record login and password credentials. While OTP (One Time Password) can be effective in handling this, for a holistic solution investing in EMM (Enterprise Mobility Management) software can mitigate risks.
Users’ Downloading App or Content with Embedded Security Risks: Employees download mobile apps and connect to Wi-Fi spots without a proper security protocol. If checked, it will reveal that majority personal devices have privacy issues and lacks proper data encryption allowing hackers an easy passage. To prevent this, VPN is a good option; it grants access verifying that the data being transferred from the mobile device to the IT network is encrypted and allowed.
Malware infections, Lost or Stolen Devices: This is the biggest risk involved. Once the device is stolen and unless the device was encrypted as part of company policy, it is handing over information to every unauthorized user out there. Implementing remote wiping capabilities as soon as a device is reported stolen or missing without waiting for a formal approval from the user can give the IT department some sense of control in such scenarios.
How can organizations keep data secure in the rising BYOD trend?
Employee’s devices: Invest in mobile device management solutions. Evaluate device usage scenarios. Introduce stringent authentication parameters. Enforce industry standard security policies.
Countering app risks: Enforce mobile anti-virus program. Manage apps. Ensure security processes cover mobile apps. Continue to access necessity of new apps.
Managing support for BYOD: Create a proper support structure for BYOD. Revamp existing support processes. Inform and educate employees to patch. Implement knowledge base self-support system for employees.
Although BYOD has risks involved, it can reduce costs and increase productivity if managed properly. Employees must be educated to protect their devices. Introduction of a flexible and scalable policy and regular testing of personal devices used in an office environment can go a long way in bridging the gap between the increased usage of personal devices accessing company network and security concern rising out of that.