Is BYOD a Nightmare for IT Security or a Dream Come True?

Tuesday, June 19, 2012

Megan Berry

02a6d0efd54c7388e26f125d8df83671

While you still may be debating whether or not to allow employees to use their own smartphones or tables for work, many organizations realize that they may not have a choice.

The primary motivating factor for a formal BYOD program was employee demand, according to HDI, and employees are going to use their own devices with or without approval.

Though it may seem that the risks of unsecured devices are a security nightmare, with the right tools, companies can work BYOD to their advantage.

Tool #1: A written mobility policy

This is an absolute must to protect the company’s network and its data. The parameters of the program must be clearly defined so everyone will benefit from the freedom of a BYOD workplace.

Besides listing which devices are allowed, here’s what a policy should include:

  • Who gets to bring their own device? Is it open to all employees or a select few based on their job responsibilities?
  • Who pays for it, the company or the employee? Or does the employee receive a monthly stipend?
  • State that the company has a zero-tolerance policy for texting or emailing while driving, and that only hands-free talking while driving is permitted.
  • Are devices with cameras and video-recording capabilities allowed on-site? (In some cases, it is possible to disable these features remotely.)
  • What are the consequences for not complying with the policy?

Start by writing a basic policy then expand it to address all employees with varying job requirements.

Training sessions with employees that review the policy in person, including a question and answer period, are much better than passing out copies of the policy to everyone.

Remember that the policy should be updated as new devices and apps become available. Everyone should be kept in the loop too.

Tool #2: Mobile Device Management (MDM) software

This possibly could be done with the company’s existing tools, for example Network Access Control software, Active Directory, MS Exchange, WiFi or VPN. If you need to get new software, make sure you do your research according to the company’s mobile operations and size.

You have options for MDM applications. For example,

  • Email management
  • Document/content management
  • Regulatory compliance regarding data and privacy
  • Automated provisioning
  • User self-enrollment
  • Reporting capabilities, and
  • Mobility expense management

Don’t forget to investigate:

  • Can the application separate corporate data from personal data on the device?
  • Can it remote lock/wipe only corporate data?
  • How does it protect employees’ privacy?
  • What encryption methods and protocols does it use?

Tool #3: IT Staff Training

Managers must get input from the support staff to find out:

  • How familiar they are with the devices, operating systems, and platforms
  • If they can activate the security features of those devices
  • If they know how to troubleshoot connectivity issues
  • If they can identify apps that can provide secure data access on mobile devices
  • If they can develop apps to provide secure data access if needed
  • What knowledge gaps need to be filled, and
  • If you need to hire additional staff.

Try buying a few of the devices they will support for them to train on. Set up test environments and let them learn on their own devices as well.

A well-written mobility policy, appropriate MDM software and effective training can turn BYOD into a dream come true for companies looking to shield themselves from the outside risks. Both companies and employees can benefit from a BYOD program.

If you would like more information and bonus network security tips, check out our original story.

Cross-posted from IT Manager Daily

Possibly Related Articles:
13076
Enterprise Security
Information Security
Enterprise Security Risk Management Training Mobile Devices Employees Policies and Procedures BYOD Mobile Device Management
Post Rating I Like this!
94c7ac665bbf77879483b04272744424
Marc Quibell I don't know why people say byod is unavoidable. It depends on the information being handled. For example, you don't byod into a classified information area. You're not going to find byod devices in a secret classified area. But for some public company who maybe doesn't care about allowing employees unfettered access to their data, byod all day, access your email all you want. Throw data out all over the place as long as your legal department endorses it. As a consumer however, I don't want my data sitting on people's personal devices, so that means that I don't care how cool employees think it is, keep my info off your toys. This comment has been created using myod.
1340205338
35d93e1eda881f6e3dde4e87428a975e
Michael Johnson I don't see why management can't just flatly refuse BYOD - something that would dramatically increase the 'attack surface' of the network and essentially turn the whole thing into a DMZ. There are countless other issues related to the potential loss or theft of the devices, and methods of replacing them safely every 18 months or so.
1340397673
Default-avatar
Mark Hennon What Michael said. Personal devices are full of crapware and abysmal on security. And almost all the time workers spend on them is personal and a theft of payroll.
1340409087
5e402abc3fedaf8927900f014ccc031f
Allan Pratt, MBA Important to keep in mind that while BYOD is becoming an issue for many businesses and IT departments, some industries will never be appropriate (think federal security, military, some technology companies, etc.). However, increased productivity could be an unintended result of BYOD, as seen from this take-away: "A well-written mobility policy, appropriate MDM software and effective training can turn BYOD into a dream come true for companies looking to shield themselves from the outside risks. Both companies and employees can benefit from a BYOD program."
1340430059
35d93e1eda881f6e3dde4e87428a975e
Michael Johnson A mobility policy would probably work wonders in the ideal workplace, where the document is concise, employees know of its existence, and it's actually being read.
In the days when I was an office minion, policy documents (especially pertaining to Health and Safety) were something we'd sign and forget when starting employment. They were seen as a 'cover your ass' thing for managers, more than anything. I've also learned there'll always be an increasing demand for 'productivity' and more pressure to meet targets, and this is where even the best laid policies become of secondary importance. This is why networks should be made idiot-resistant if any sensitive data's being processed.
1340432622
94c7ac665bbf77879483b04272744424
Marc Quibell Mr. Pratt represents the mgmt side of the coin where he sees some abstract value of byod, looking for that elusive 'productivity' gain. I see real value in mobile computing, where employees are issued company laptops or touch devices and are able to remotely work from whenever, and whereever they may be...

Let's not confuse byod with true, productive, remote computing, cloud computing...etc. At the MOST, an employee can use their own device to perhaps access company email systems. Anything beyond that or anything involving sensitive information (could also be email!) should never be allowed to propogate onto personal devices.
1340437626
5e402abc3fedaf8927900f014ccc031f
Allan Pratt, MBA Another point to consider in the BYOD discussion: malware vectors from each email system. It is possible for personal email systems that reside on a smartphone or tablet to infect corporate email systems on the same device (especially when it comes to zero day malware) - and vice versa, which is another reason to keep devices separate.
1340580245
Default-avatar
julian radetsky you cant compare most companies to governemnt national security systems. because most of thoughs computer systems are not connected to the interent. they are in a local network that can only be accessed if your on site. BYOD is not about being able to access data from your lan. Its about being able to access the public data you already have over your wan. If you are to tell me a desktop computer wired to a network is any more secure then a laptop or tablet or phone on your lan from taking data from a local server then you are way behind security protocols. The fact is in 5 years from now the idea of a desktop computer is probably going to be extinct. and wireless protocols can manage any wireless device and what its accessing as good if not better then the old technology can manage desktops from steeling data over your lan or even what an employee could do over vpn. Programs like cisco's ISE or ascentek or for smaller companies what meraki offers. with mdm management and other stuff a mobile device hooked up to your local network is more manged and watched over then local computers these days. your stuff weather its sitting on the secretaries laptop while there on vacation or in the office is just as secure as there desktop if not more due to certificates and other programs most corporate phones have them embed in them. Also unlike a desktop computer a wireless device is easier to block, identify and manage its access to your network anyways. If you do some research on what has already been developed BYOD is only a risk to the company that does not know its security protocols. wireless and wired systems share the same root security protocols so if you cant secure your wireless from accessing data you dont want it too chances are you wired network is insecure too.
1360010856
Default-avatar
make joson Thanks for such an interesting article here. I was searching for something like that for quite a long time and at last I have found it here.Pre Bonded Hair
1373532997
Default-avatar
make joson I love the humor your post has offered. I enjoyed this site a lot. Keep posting article like this. It is fun. Nice photography too![url=http://www.hihairextensions.co.uk/pre-bonded-hair-extensions]Pre Bonded Hair[/url]
1373533037
Default-avatar
casper red Thank you for updating the post that you have given me here. This one is really a good post on whether employers must be allowed to use up smart phones in their office. This article on the page is really cool.
windows8-drivers.com
1385724786
Default-avatar
casper red Thank you for updating the post that you have given me here. This one is really a good post on whether employers must be allowed to use up smart phones in their office. This article on the page is really cool.
windows8-drivers.com
1385724802
Default-avatar
Bill Phillips I remember a friend of mine who was given a warning at while, for using his laptop during a lunch break. That's insane, however, with the change in technology, I think, things have become more flexible.

Rd @ http://www.compuchenna.co.uk/
1388614080
Default-avatar
john khan Despite number of steps being taken by it companies and other people it is still vernuable with addition to number of attacks on many big companies like new york times. http://healthymeal.co
1390917250
Default-avatar
meenu krishna This article provides appropriate information about security. Well written mobility policy, appropriate MDM software and effective training can become very effective for companies looking to shield themselves from outside risks. It is beneficial to both companies and employees as well.

microsoft outlook for windows 7microsoft outlook for windows 7
1391581053
Default-avatar
Miguel Munoz So, for the most part, it's common knowledge that the applications on personal mobile devices can render patients' health data vulnerable, but what are the policy implications? "Do you want Plants vs. Zombies on your network? I wouldn't. http://www.bitcoincasinowin.com
1391703912
Default-avatar
Adam Tuscano http://www.opcionesbinariasbiz.com/
Programs like cisco's ISE or ascentek or for smaller companies what meraki offers. with mdm management and other stuff a mobile device hooked up to your local network is more manged and watched over then local computers these days.
1393425533
Default-avatar
azpher holt Never balance of it this way, but you may then must have right! so on your first LV piece, that is a a vintage choice! Enjoy!! :) http://www.hermesi.com/hermes-handbags.
1394268256
Default-avatar
azpher holt Hmmm think i will http://www.tysale.com/Louis-Vuitton try to get a 30cm birkin first.. hahaha still superior to the look of a B than a Kelly I think it would be a nice pop of color on a costs a dress-up costume but it all all depends on your an individual bankruptcy style.
1394268303
Page: « < 1 - 2 > »
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.