Bring Your Own Device: The Security Checklist

With personal mobile devices now increasingly accessing the corporate network, security, IT and risk managers are faced with a huge logistical challenge: how to protect the business infrastructure and its valuable data. Anders Lofgren offers them some timely advice.

Very few of us would argue that Bring Your Own Device (BYOD) is graduating into a fully-fledged corporate phenomenon, with the use of tablets and smart phones becoming more widespread among enterprise employees. The digital revolution has turned the way in which we work on its head and radically transformed the office space.

Mobility in the workplace isn’t only impacting on the larger enterprises, either. All businesses, including SMEs, are benefiting from the mobile revolution in terms of productivity, the increased availability of data and enhanced employee/consumer engagement.

Suddenly, for many of us work is no longer about a set location. With access to the right set of mobility tools and data, the job can be carried out from any location.

Consumer file-sharing services such as Dropbox and Box are also becoming commonplace. Employees are able to store data in these simple online virtual storage utilities, making the files accessible from anywhere.

Coupled with mobile devices, those same file-sharing services have brought about a sea change in productivity for employers and employees alike. The most up-to-date files are always available wherever there’s an Internet connection and data is stored in the cloud, regardless of the hardware being inadvertently lost, stolen or destroyed.

Challenges realised by BYOD

Gartner has predicted that as many as 50% of employers will require their employees to use their own devices for work by 2017.

With personal devices now accessing the corporate network, the IT security/risk manager is faced with a huge security challenge: how to protect the business infrastructure and its valuable corporate data.

Mobile devices undoubtedly pose a real threat to sensitive business information and applications. In the modern age, institutions can be left wide open to enterprise risk wherein sensitive data may be lost or duplicated.

As demand grows from end users and organisations to exploit the increased power of their smart phones and tablets to access and interact with content, it’s very much the case that the security challenge worsens. Work documents may find themselves saved on the servers of Dropbox, Box and SkyDrive instead of the secure corporate infrastructure. Without an appropriate strategy that enables access to (as well as the syncing and sharing of) content in a secure and safe fashion, organisations are at risk from data leakages.

If users e-mail files to themselves, use unauthorised third party apps to edit documents and other files or rely on consumer-grade solutions like Dropbox to sync files across devices and share them with others, then suddenly none of the data is protected.

These ad hoc, ‘guerrilla’-style approaches to accessing, syncing and sharing data leave security managers with no visibility on what files are moving in and out, where they have been, if they have been changed, whether copies have been made and who may be sharing them. This is of particular concern, for example, on those occasions when employees leave an organisation.

Therefore, it’s a top priority for IT, risk and security managers to know exactly who’s accessing what files and with whom they are sharing them. IT has to maintain security and put in place Best Practice procedures for file sharing in a workgroup environment. Losing control of data could mean that everything from financial details to competitive proprietary information may be disclosed, with reputational damage – or, in the worse case scenario, non-viability of the business – the potential fall-out.

Addressing the security issues

It’s possible to securely and safely manage the security risks posed by BYOD while also enabling employees to ‘get the job done’ anywhere, anytime and from any device.

Comprehensive access, sync and share solutions are available that balance the employee’s need for consumer-grade simplicity with enterprise-grade control, security and management for the employer.

When evaluating such solutions, risk managers should consider a number of features – such as on-premise deployment – for the greatest amount of control and security without sacrificing user flexibility. Active Directory integration ensures seamless authentication, provisioning and management.

Other factors to look at are policy setting (to create security policies for content, users and devices), encryption (to protect data in transit and on the device), remote wipe (to protect corporate data if a device is lost or stolen) and audit logs (to see what users are doing, the documents they access and with whom they’re being shared). The provision of ‘in-app’ Office document editing and PDF annotation within the secure sandbox also eliminates data leakage and improves user productivity.

Security strategies need to balance the needs of users with the enterprise’s desire to stay in control and address security, management, compliance and visibility. Organisations should evaluate solutions to ensure they support the integration of diverse computing platforms and devices into their existing and complex enterprise environments.
If you want to keep employees happy you need to bin any Draconian anti-BYOD policies. Not only will you have miserable employees on your payroll, but you’ll also find it nigh on impossible to enforce such policies.

Instead, focus on creating a user experience workflow around tools they’ll enjoy using. Choose applications that are not training-intensive. If the tools are intuitive, training will be minimal. In addition, you will not waste time and money instructing employees in the use of tools they will do anything to avoid.

Don’t dictate devices. Provide access across all the devices your employees use, be they netbooks, iPhones, tablets or Android smart phones. As long as they can do their work on these devices, let the employees do just that and build them into a secure environment.

How to make security ‘invisible’

The key is to make security ‘invisible’. Consumer cloud services are attractive to employees because they’re so easy to use, whereas some enterprise collaboration tools are complex and make security the priority. Of course security is very important, but the experience has to be seamless for the end user.

Security and a positive user experience can actually be complementary. Providing employees with secure solutions they will use makes it easier for them to be compliant and is the best way forward when it comes to protecting the host organisation’s data.

BYOD is an unstoppable force. The challenge is to create a strategy that wraps around the ‘work anywhere, anytime’ ethos and embraces the opportunities this brings while also retaining control of company data.

Security managers that strike while the iron’s hot will reap the business benefits both immediately and in the years to come.

Anders Lofgren is Vice-President of Product Management at Acronis Access

 

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts