For business owners and IT managers, whether and how you let employees use personal smart phones and tablets at work is a growing concern. BYOD, or Bring Your Own Device, has taken center stage.
With many companies struggling to decrease operational costs, the IT department is tasked with deciding if BYOD is cost-effective and secure. In one NetworkWorld special report series, this concept is predicted to ‘bedevil IT security’.
Although it may appear as though you’re saving money by having employees buy their own mobile devices, there are management costs that may not be to your advantage. One analyst notes that telecom rate plans cost less through traditional company contract negotiations than through individual contracts. As for cost-savings, “the jury is still out on BYOD” says an IT security risk manager at PricewaterhouseCoopers, who thinks the BYOD promise of cost-savings is largely unrealized.
Consider the cost to your company if data is compromised. If you’re in a regulated industry, the cost could be huge. You might save money on user device hardware, but the fines and reputation loss could be devastating.
Five steps to greater infrastructure security using BYOD:
The main goal has to be data security on the device and having a way to validate security through risk assessments.
In regulated industries such as healthcare and finance, BYOD mobile device audits are common practice. Unfortunately, businesses are thinking about these questions only after they’ve implemented BYOD practices.
Twenty-seven percent of those surveyed said they’ll allow fully managed and secured devices to utilize corporate services, while twenty-four percent said they didn’t think the devices could be fully secured.
If you’re trying to cut costs via the BYOD option, you have many considerations before implementing your policies.
Standardization. Adding more access methods can weaken security. Consider a standard for security controls by implementing virtual desktops where a user can log into an emulated desktop computer and still gain access to their core business applications and tools. No software installation is required on the end device, and restrictions can be placed on systems so the user can neither install other applications nor change the system to induce vulnerabilities. This option adds up-front costs to the company or data center for a server and licenses, and results in increased data security. It can also be used with a majority of device types and manufacturers.
Common delivery methods. Companies utilize a variety of delivery methods to access data. In many cases, SSL (secure socket layer) and SSTP (secure socket tunneling protocol) are sufficient for secure data access; are widely used along most device types and can be accessed anywhere; and allow for network traffic auditing. Similarly, secure web based repositories (Cloud applications) offer additional auditing features and business tools.
Access controls. Access control decisions are usually based on the user’s job role and access needed. These roles define what a user does while connected and are mapped to groups with specific permissions. With restrictions in place, certain data can be accessed on approved devices such as company laptops or mobile phones, and can be denied to devices that don’t have the latest virus definitions and software patches.
Data containment. If your organization is BYOD friendly without user restrictions, it’s almost certain that company data exists on personal devices. This is a concern for the company as well as the device owner. Companies risk data loss if personal devices are shared or stolen. Individuals are concerned that company data on their devices could result in seizure if the data is part of a legal situation. The best method is to ensure that company data does not reside on personal devices. Using device encryption and remote wiping technology offers a level of assurance that erroneous data will not be compromised, and provides the company with time to obtain data from a missing device and erase it remotely.
Ultimately, BYOD can create significant savings in equipment and support costs and can improve employee satisfaction through the use of personal devices, but it comes with security considerations that should not be taken lightly.