Bring Your Own Device – The Security Hole in Everyone’s Pocket?
The arrival and use of personal mobile devices in the workplace (Bring Your Own Device) is now a cause for concern. How should firms counter the security threats that the use of personal mobile devices creates?
Bring Your Own Device (BYOD)
Bring Your Own Device (BYOD) is a term that refers to the policy of allowing employees to bring personally owned mobile devices (including laptops, tablets, smart phones etc) into the workplace and to use those devices to access their firm’s information and data services.
In many ways the arrival of mobile devices in the workplace was inevitable and, undoubtedly, some in the industry have always believed Bring Your Own Device to be less an IT initiative and more a corporate policy retro-fit in the face of an unstoppable wave of consumer empowerment.
The Bring Your Own Device movement gained traction with larger enterprises around five years ago. It promised working flexibility and cost savings, removing IT capital costs from corporate budgets and allowing employees to access work irrespective of location and time.
Privacy and Cost
Recent surveys have indicated that employee mobility, satisfaction and productivity are now considered the primary drivers over cost reductions (see footer link), which would appear to indicate a more mature attitude toward the approach.
However, the movement has brought with it some acute security problems, with Dell claiming back in 2013 that over half of firms with BYOD policies have suffered a security breach. Today, security concerns are cited as the greatest inhibitor to its adoption.
Cost savings, which were initially an important driver, have ceased to be so attractive as first thought. Firms have found that the hidden costs of IT help desk resources and support to manage security threats have become apparent.
A further issue arises when looking at employee privacy. If the device in question is owned by the employee, what rights does the firm have to dictate the applications that it would like installed and what right does it have to monitor that? When an employee leaves, how does a firm ensure its own data is wiped?
A lot of these issues have been addressed in larger firms through a combination a greater control over users’ mobile devices, achieved through subsidy and other inducements, and the application of data-centric security measures.
Bring Your Own Recommended Device (BYORD)
The achievement of greater control comes through a variation on the BYOD theme. Under a more managed Bring Your Own Recommended Device (BYORD) regime, personal devices can be looked on as “light touch IT” devices.
A user chooses their own device from list of certified and supported devices. These devices can be subsidised by the firm, the return for the firm being that the firm can insist on password protection, remote wipe, device encryption and data removal abilities on the device from IT enterprise. Under this framework, it is easier to justify locking non-compliant devices out of the firm’s network.
However, at the smaller end of the business scale, the resource overheads and administrative cost of BYORD could prove too high a barrier to adoption in smaller firms.
Indeed, small firms will likely be allowing mobile devices into the workplace by default, and with little concern given their ubiquity in the domestic arena.
The security implications are still real though, even for smaller firms.
Data Segregation and Access Permissions
In this environment, data segregation and access controls represent a cost-effective and proportionate response for the small firm. The firm could allow all types of device to be used by employees as long as they are registered. Those authorised devices are then allowed limited access to the firm’s data based on the owner’s role and the perceived security risks the device presents.
Such data-centric methods would require the firm to start segregating its data along lines of sensitivity or departmental ownership; access to data can be given to users on a per device or even a per location basis.
An example might be a policy that no tablet devices or smart phones within the registered device “inventory” are allowed to access the firm’s financial data, although they can retrieve email and personal working documents. Devices could be further locked down to access email only when outside the firm’s own network.
In fact, it has always been good security practice to allow users access only to the data they need to fulfil their functions. Internal data segregation reduces the likelihood of any one data breach handing the attacker the keys to the whole castle.
As a means to reduce the risk of breaches through the unstoppable growth of personal devices in the workplace, segregating data and granting access to reduced subsets of that data based on device is a sensible and cost-effective precaution for a small firm. It brings with it the benefit of better information security management within the firm itself.