Bring your Own Device
Category : IT Security Strategies
Whether it’s vacation season or not, the demand for mobility in business in general has been growing steadily, fueling the adoption of the Bring Your Own Device (BYOD) movement. If your business is ready to embrace the rewards of BYOD (think happier, more productive employees), it’s time to get serious about mitigating the risks that come along with allowing personal devices to access your company network.
Let’s explore BYOD’s evolution; take a look at the risks and rewards of embracing BYOD; and then take a deeper dive into how to balance it all so that you and your employees can enjoy the best of both worlds. If you want to see our interactive webinar where we discuss BYOD, visit our community post here.
BYOD 1.0 is roughly defined as occurring from 2009 to 2012, but you could argue that it all started back in 2007 when more and more business professionals began switching from their BlackBerry® devices to the newly-introduced iPhones®. When BlackBerry ruled the business mobility scene, security was much easier for the Information Technology (IT) department. IT purchased, distributed and managed the devices for employees. At this stage, IT only had to concern itself with protecting two things:
1) The device itself and any data stored on it. (Known as Mobile Device Management, or MDM.)
2) The connection between the device and the corporate network. (Known as Virtual Private Network, or VPN.)
While this may seem easy as compared to today’s BYOD challenges, it actually caused frustration for both IT and employees, and here’s why. With BYOD 1.0, it was all or nothing, meaning IT had to protect the entire device and any data and activity on it. There was no way to hone in on the company data and leave an employee’s personal data and activity alone.
Most people don’t want to have a phone for work and a phone for all the other times. It’s too much of a hassle! So what naturally happened was company-issued BlackBerries and other devices were used for both work and play. (As someone who had a BlackBerry back in the day, I’ll admit to this!) But that meant the company could invade your privacy whenever it wanted. And, if you left the company, the IT department would ‘wipe’ your device, so along with all your company data and applications went your personal data (photos, etc.) and apps. It’d all be gone.
IT did not want to see any evil or hear any evil. In fact, IT did not want to be bothered with an employee’s personal data and apps! To them, this only introduced a new challenge: how to protect the device from potentially harmful web browsing by the employee.
In short, BYOD 1.0 left both employees and IT wanting. Enter BYOD 2.0.
From about 2013 on, we’ve been living in the 2.0 version of BYOD. The biggest difference between BYOD 1.0 and BYOD 2.0 is the ability to provide security to only the company’s data, apps and network access and leave the employee’s personal data, web browsing and apps alone. This has been accomplished by changing the focus from device protection to application protection. Remember Mobile Device Management, or MDM, from 1.0? That has now been replaced by Mobile Application Management, or MAM. With BYOD 2.0, both groups are happy. Employees are no longer concerned with their company infringing on their privacy. IT is also happy because they can now focus making sure the business’ data, applications and network are all locked down and secure.
Weighing the Risks and the Rewards
If you want your staff to be happier and more productive, BYOD is definitely the way to go. Studies have shown:
- Employees whose companies embrace BYOD work up to 20 additional hours per week, unpaid1.
- 92 percent of these newly-mobile workers “enjoy their job flexibility” so much so that they are “content” with working the additional hours.
- On top of that, 42 percent of business professionals would like “even greater flexibility for their working practices.”
- Companies realize cost-savings in two ways: reducing or eliminating the capital expense of purchasing mobile devices and reducing or eliminating the monthly service costs.
- When companies embrace BYOD, the IT department is re-branded as innovative and forward-thinking, which many times carries over to the entire organization’s brand.
Those are all positives, but here are the downsides:
- 76 percent of business professionals believe that BYOD introduces serious risks2.
- Only 39 are prepared to mitigate the risks.
- 59 percent of organizations had increased malware infections over the past 12 months because of unsecured laptops, smartphones, and tablets.
Overcoming ‘Different’ Challenges
Back in BYOD 1.0, there was typically one kind of device, from one vendor, serviced by one carrier. But that’s when IT bought, owned and managed everything. Now that employees are brining different brands of smartphones, tablets and laptops, which they purchased from different places, and running them on different carriers’ networks, the complexity has multiplied. While it may seem overwhelming, it doesn’t have to be. All you have to do is create what’s called dynamic policy enforcement which gives you flexible security over company data and applications.
Different Strokes for Different Folks
As with everything else in life, it all depends on who you are. Based on how complex your data storage and data center services are, you’ll require different types of mobile device security. Here’s a quick cheat sheet:
- Have a traditional data center set-up? Control access with a VPN gateway.
- Use an Infrastructure as a Service (IaaS) public cloud offering, (such as Amazon EC2)? Control access with a VPN gateway and secure applications by hosting them on virtual servers.
- Use a Software as a Service (SaaS) offering? Skip the VPN but still enforce identification and authorization to access corporate data.
It’s no longer enough to secure the device itself. If employees are using their own devices to access your network, you need a solution that extends beyond data and apps on devices into wherever you store your company’s data, whether that be in cloud-based services such IaaS or SaaS, or in your own data center. Look for a mobile device service provider who combines mobile and access management into one service. And look for a provider who can offer all the security you need, including authentication and authorization, data-at-rest security, and data-in-transit security, among others.
The Key Lessons
- Determine your company’s BYOD goals before worrying about the risks.
- Don’t let your employees become secret hackers.
- If your IT team has no idea what harboring rootkits, keyloggers , data-at-rest and data-in-transit security are, hire an expert.
Your employees want to use their smartphones and other personal devices for two things: 1) they want to store and use your company data outside of work, and 2) they want to conduct business, which often requires accessing your company network and services (think email!). As you’ve seen, the rewards are great but the risks can be, too if you don’t know how to properly secure your company’s proprietary information and safeguard against employees accidentally introducing harmful malware into your network. Knowledge is power so they say, and it certainly rings true with BYOD. The more you know, the more you can balance the risks and rewards and reap all the benefits without worrying about the unwanted repercussions.
1. 2012 Mobile Workforce Report from enterprise WiFi access firm iPass
2. Poneman Institute/Websense survey