BYOD: How to stop it from becoming Bring Your Own Disaster
Mark Cross has been the Senior Business analyst of ‘North Highland’ for 2 years now. He arrives in his office everyday with a plan in his mind of what he needs to do for the day. While coming to office, Cross holds his smart-phone at all times, and checks if any new development on a certain project has arrived through his mail. In his rucksack, he usually carries a laptop in case he needs to use a bigger screen when out of the office. He has desktop computers both at work and home, so he can be productive anytime. Not only Cross, many working professionals these days carry their own devices to be productive at all time and at any place.
While organizations allow employees to use their own smart-phones, tablets, and laptops to access company resources, these devices have become a particular headache for IT security professionals. Mobile security breaches continue to make the news almost daily. Intel Security’s Q1 report also revealed the rising threats posed by mobile hacks. New mobile malware samples grew 17 per cent from Q4 2015 to more than to almost 1.75 million, while total malware samples grew 23 per cent and 113 per cent over the past year to around 9.5 million.
The mobile enterprise although continues to evolve with wearables and other IoT devices plugging into enterprise networks, and workloads and data being deployed in the cloud to make the data secure. So what are the measures that an organization can employ to stop BYOD from becoming Bring Your Own Disaster? We shall discuss!
The Risk Landscape
Considering the risk landscape or the issues to reflect on in a BYOD deployment at an early stage is the key for a secure and successful rollout.
Organization’s risk profile
The approach in which information security risks are defined and treated by an organization plays a chief role in choosing the proper security control that should be employed.
Considering BYOD-use cases
The types of data and functionality that are exposed through the BYOD use must be taken into consideration. A retail deployment that allows credit card processing would need PCI-DSS compliance on the devices and a healthcare setup would need HIPPA compliance. The devices complying to these frameworks would be including stronger and more rigorous controls than on non-compliant devices. There is no “one size fits all” use case; all cases have to be considered.
Geographic distribution of devices would mean complying with different regionally applicable legislation. This affects the legal workload and nature of the security controls as different frameworks and legislations would have different criteria.
Managing support for BYOD
The management effort of an organization is increased manifold by BYOD approach. Suddenly keeping mobile operating systems’ software up-to-date, maintaining an accurate inventory of the mobile devices, and supporting the increasing number of device types becomes very vital. Support can be lent to a BYOD approach through many steps.
Enforcing an appropriate BYOD support and usage policy
There is a need to lay out a certain guideline in front of the employees to bring their own devices. Creating and enforcing an appropriate BYOD support and usage policy can go a long way in protecting the data on the user-owned devices.
Including secure provisioning
There is a need of revamping existing support processes in order to include provisioning and de-provisioning of devices in a secured way. This will also increase the level of self-help processes.
Lack of user security awareness is the primary contributor to several of the BYOD risks being realized in the organization. Maintaining awareness and good support procedures for handling device loss is critical to the security of the data on the devices. A patch education process must be created to encourage users to keep their mobile devices updated.
Social support mechanism
There is a need to augmenting the existing IT support teams in order to cope with the rising number of users following the BYOD approach. Introducing a social support mechanism will help the cause by boosting up the reach of IT support.
Advances in mobile device security features
Organizations will be better-equipped to deal with incoming and unforeseen challenges to their security by adopting strategies that are scalable and flexible, and taking advantage of novel security features.
Native ability to have work and personal environments sandboxed and securely separated from each other has been developed by some of the large mobile device developers. It allows the end user to use the device as they desire, as well as allowing an enterprise to manage the work environment to the degree that they see fit.
In order to customize access and experience based on identity, virtualized environment providers are continuing to develop their offerings. Fully featured apps on a desktop is not usable now-a-days within a mobile environment. This helps the data on the app to be secured and also works in the smooth usage of the application.
BYOD endpoint security
Management and monitoring services through the administrative consoles and policy managers is been offered by the newly updated endpoint security products. New solutions around anti-malware solutions for virtual machines, virtual desktops and the data center are also been developed by certain providers. The main focus is on deploying endpoint anti-malware capabilities for mobile operating systems and integrating it into their MDM platform, allowing enterprises to have dashboard monitoring capabilities for mobile malware.
BYOD is here to stay because employees are generally more productive under this regime. EMM suites provide the tools for IT departments to manage and secure the resulting heterogeneous collection of devices, with alternative approaches like Workspace-as-a-Service (WaaS) available to deliver applications and data. Employees may not appreciate tight IT control over their laptops, tablets and smart-phones, but without it cyber-attackers will increasingly turn to mobile devices as a route into enterprise networks.
By leveraging industry leading practices, integrating a thoughtful BYOD policy and adopting strategies that are flexible and scalable, organizations will be better equipped to deal with incoming challenges to their security infrastructure posed by the use of employees’ own devices.
The introduction of appropriate procedures and regular testing will help organizations become smarter and make their employees more aware of the challenges that the uses of personal devices pose for the entire enterprise.
By Nancy S. Wolk, CIO, Alcoa - Global Business Services
By John Kamin, EVP and CIO, Old National Bancorp
By Gregg T. Martin, VP & CIO, Arnot Health
By Elliot Garbus, VP-IoT Solutions Group & GM-Automotive...
By Bryson Koehler, EVP & CIO, The Weather Company, an IBM...
By Gregory Morrison, SVP & CIO, Cox Enterprises
By Adrian Mebane, VP-Global Ethics & Compliance, The Hershey...
By Lowell Gilvin, Chief Process Officer, Jabil
By Dennis Hodges, CIO, Inteva Products
By Gerri Martin-Flickinger, CIO, Adobe Systems
By Walter Carvalho, VP& Corporate CIO, Carnival Corporation
By Mary Alice Annecharico, SVP & CIO, Henry Ford Health System
By Bernd Schlotter, President of Services, Unify
By Bob Fecteau, CIO, SAIC
By Kushagra Vaid, GM, Server Engineering, Microsoft
By Steve Beason, Enterprise CTO, Scientific Games
By Steve Bein, VP-GIS, Michael Baker International
By Jason Alan Snyder, CTO, Momentum Worldwide
By Jim Whitehurst, CEO, Red Hat
By Alberto Ruocco, CIO, American Electric Power