The Bring Your Own Device (BYOD) trend has gained popularity steadily across all sizes of business, from small operations right through to large corporates. This is due to BYOD enabling employees to use the devices of their choosing while business investment in IT is reduced. However, despite the benefits of BYOD, security remains a concern and a factor that may hinder adoption.
Aside from the well-known challenges of network access, permissions and bandwidth abuse, information security is another concern, and one that many organisations neglect to consider. BYOD and its related mobility trend require organisations to rethink their information security policies and procedures in order to ensure their sensitive corporate data does not become vulnerable to a variety of breaches.
For large enterprise, BYOD offers the ability to dramatically reduce IT spend on end point devices, while catering to the requirements of their employees to use the device of their choice on the corporate network. This helps to improve productivity. For smaller businesses that may not be able to afford the latest technology, BYOD enables employees to still use this technology without cost to the company.
However, if employees are all bringing their own devices onto the business network, and organisations do not control the information on these devices, they are left open to vulnerabilities in that sensitive information can be lost, stolen or can fall into the wrong hands, with potentially dire consequences. Information needs to be managed, especially when employees use the same devices for both work and personal purposes.
Take for example an employee with his or her own personal laptop and mobile phone, which are connected to the company network but are also used after hours for personal functions. For work purposes, this device requires access to corporate networks and corporate data, such as servers, email and other business information, but the device itself does not belong to the organisation.
If this employee resigns from their position, and the information on these devices is not backed up, stored and then removed, and access to the network withdrawn, this former employee retains potentially sensitive information outside of the company’s control. With the impending implementation of the Protection of Personal Information (POPI) Act, this poses a serious problem, not to mention the threat of this information falling into the wrong hands or being used against the organisation. In addition, whether the employee remains at the organisation or not, mobile devices by their very nature are prone to theft or to being misplaced, with the result that information is stolen or lost.
If BYOD devices do not comply with an organisation’s security policy, the company network can be exposed to intruders and attacks. This includes not only information retention and deletion policies, but also traditional threats like viruses, Trojans, worms and the rest of the plethora of cyber malware. Securing the network requires that devices are given the right levels of permission, and that devices are checked and authenticated for applicable levels of protection, including anti-virus and other end-point protection solutions. Remote management and wipe capabilities are also necessary to introduce a level of control over data stored on these BYOD devices.
The reality is that it is simply not possible to manage all of these devices manually. In an organisation with thousands of employees, if each one brings multiple devices onto the network, the scale of the problem has potential to spiral out of control.
The chance of human error with regard to manual policy implementation also introduces unacceptable levels of risk. Organisations need to ensure that they have the correct policies and procedures in place, and ensure that they have the right software to implement these policies and procedures and gain the necessary level of control over information on these devices.
Security solutions for a BYOD world need to perform multiple functions beyond traditional vulnerability management. Solutions need to ensure the secure management of devices regardless of their location, deliver a view of compliance for regulations around information such as POPI, streamline the management of devices and applications with support for a broad range of platforms and operating systems, provide automated patch management for up to date software, and provide capabilities that enable mobility without compromising on network and information security.
BYOD as a trend is one that is here to stay, and organisations need to address these and other challenges in order to leverage the benefits without falling foul of security vulnerabilities.
Fred Mitchell, Symantec Division Manager, Drive Control Corporation