Mobile Device Security: A Growing Need in Today’s Expanding BYOD Culture
BYOD: Bring Your Own Device – this phenomena in today’s IT business culture is on the rise and not likely to abate anytime soon. By most measures many IT managers have embraced (at least to some extent, anyway) employee use of their own devices at work for a number of reasons, including saving the company money on expensive hardware expenditures, increasing employee morale, and as one CIO put it, BYOD being “a great way to recruit and retain young talent.”
This paradigm shift seems especially prevalent in IT start-up enterprises. CIOs, managers and other decision makers within these new organizations may be more adept at addressing the phenomena and all it entails provided they are forthright in their assessment and understanding of it.
But whether a company is a well-established entity or a new kid on the block with this new workplace development come new threats. As mobile computing becomes more prevalent the threat landscape changes in step. Joan Goodchild, Senior Editor at CSO Online recently reported that in a recent survey of IT managers and CIOs, when asked “what are the greatest barriers to enabling employees to use personal devices at work, 83 percent of IT respondents cited “security concerns.” Data loss was not far behind.
New Technology, New Threats (Or More Likely, Old Threats Tweaked into New Threats)
Security threats, and those unsavory individuals who perpetrate such evils, will seemingly always find a way to work their malfeasance and devise ways to infect devices and different platform environments (like VMware, for example) for their own nefarious purposes, just like they did in the early days with PCs. They do so with customized versions of old favorites and new versions tailored for specific uses. These include but are not limited to:
- SMS spoofing
- Toll Fraud
Throw in human error – the abject losing or theft of mobile devices containing sensitive business or personal data or the introduction of security threats via the downloading of malicious material, e-mail, and applications by unsuspecting employees – and a troubling reality becomes worse yet.
However, there were (and perhaps still are) indications since mobile devices began to become prevalent in IT workplaces that these threats, at least in the earliest days, may not have been addressed with the same enthusiasm and earnestness as those associated with PCs and laptops. But it didn’t take long before many enterprises began reevaluating their mobile device security best practices as security issues multiplied and revenue and data leaks became more frequent as BYOD took hold.
Mobile Device Security Best Practices (Because Employees Can Be Worse Than Hackers)
Writing (or re-writing) best practices for IT enterprises can be a difficult proposition even when objectives are clear and well-defined and threats, risks and shortcomings obvious. This endeavor becomes that much more tenuous when the catalyst for the change is outside the normal sphere of the enterprise, when the consumerization of the technology is the driving force. With BYOD, the threats are ever changing and the end result, while now well-defined (how to effectively enforce security while not compromising usability of the device) is increasingly difficult to achieve due to the novelty and ever-morphing nature of the model responsible for the re-write in the first place.
While more and more enterprises are welcoming BYOD, best practices and how they are implemented may vary a bit from organization to organization. Regardless, it is critical that proponents of BYOD and those that engage in the practice adhere to the same corporate security policies as any other device user and that proper identity and access/usage management processes are in place to ensure the security and integrity of the organization. These might include though are certainly not limited to:
- Determining how the device is used, from both a personal and business standpoint, and separating the two
- Determining what limitations on usage must be imposed to achieve the end result of improved security
- Determining what policies must be developed and implemented to assure proper compliance
- Developing and initiating a thorough and regularly administered employee awareness and responsibility training program
- Regularly monitoring device activity
- Requiring devices with strong security controls (like encryption) and require employees to use those controls
- Requiring device authentication and require employees to actually turn it on
- Developing and setting unique firewall capabilities to allow employees access only to data they actually need and use
Mobile Security Software (The Gift That Keeps on Giving, Provided You Have The $$$)
Many PC anti-virus companies have been the first to address this growing security concern and have ramped up efforts as of late to market their mobile security wares to mobile device consumers. Whether this sort of software can be deemed “essential” to the enterprise is still open to debate but for about $25-$35 per year (per employee/device) enterprises can buy a subscription which provides:
- anti-virus protection
- anti-spam protection
- anti-spyware protection
- backup data storage
- technology to locate a lost or stolen mobile device
- safe browsing
- remote locking for missing devices
- the capability to remotely wipe clean all sensitive data contained within a device no longer in the hands of the owner
- “containerization” within an encrypted zone on the device
While it may rankle some of the ‘old guard’ in the IT industry the use of personal mobile devices in the workplace is likely here to stay. Indeed, to say BYOD has caused businesses to rethink the way they procure and manage IT equipment and services is a bit of an understatement.
Therefore, responding effectively to the BYOD phenomena and all it entails could mean the difference between an enterprise staying at the forefront of the industry with little to no down time performing the services they were designed to or wallowing in a sea of uncertainty, discord, and inevitable financial and emotional expenditure brought on by something as simple as leaving a mobile device in a taxi or downloading a disingenuous app.
As enterprises have become increasingly dependent upon other consumerized services as search, mapping, and social media perhaps with time dependence on BYOD and the need to properly manage it will become as acute, if it hasn’t already.
Like with any other trend only time will tell.