Aug 07, 2018
Do you login to your business email account on your personal mobile? Do work on a personal laptop? Access company software from your tablet?
If you're like most organisation employees, the answer is a resounding yes, and you're a part of the BYOD (bring your own device) movement.
What is BYOD?
Where before, organisations would typically provide their employees with specific equipment to use at work, people are increasingly using their personal devices instead. Employees are increasingly using their own personal mobiles for business calls, laptops for getting work done and more. This is known as the BYOD movement. Quite simply, where before organisations had full control over the devices their employees used to do work, now more and more employees expect to be able to use whatever device they want -- personal or company -- wherever they are.
Why is BYOD a Risk to Organisation Security?
BYOD brings lots of benefits to organisations, for example they can invest less in hardware, enable employees to more readily work from anywhere in the world and keep in touch with employees easier outside of standard working hours. These key benefits are all unfortunately at the expense of organisation security.
Some of the threats to organisation security BYOD imposes include:
Insecure Application Usage
When a company owns and controls a device, it can determine which applications are able to be used, and which aren't. When employees use their own devices, they can install any applications they want.
This can be a big risk to organisation security -- what if a user installs an application specifically designed to steal confidential data from your user's device? Or to log keystrokes so that attackers can gain access to key systems?
Your employees devices will occasionally get lost and stolen. Occasionally becomes "frequently", as soon as an organisation reaches reasonable scale. If devices aren't properly secured by your employees, then confidential information could be leaked, or access to organisation systems be granted to anyone who gets their hand on the device.
Access From Non-Employees
Many personal devices are used by more than one person. Laptops may be used by an employee's husband, for example, or a tablet might be used by an employee's daughter to play their favourite games. This presents a risk -- what if another user accidentally shares confidential information, or an employee fails to logout of a secure application?
Your employees could be connecting to networks anywhere. This means coffee shops, at home and airports as well as your offices. These networks cannot always be trusted, and your employees being connected to them could pose a security risk. If communication between your organisation and its employees devices is not encrypted, then information is susceptible to being intercepted by unfriendly networks.
What Can Organisations Do to Reduce Risk?
The most important thing for organisations to do is to embrace BYOD, rather than try to oppose it. The trend of consumers using devices for both work and personal use is only moving in one direction, and imposing policies that prevent people from using their own devices is likely to have a negative impact on employees, and productivity.
In terms of specific actions organisations can take to improve security:
Develop A BYOD Policy
The most important aspect of managing the impact of BYOD on your organisation's security is developing an easy to understand BYOD policy. Your policy needs to be easy to access; easy to understand and allow for employees to give feedback, so you can align employee best interests with security.
At a minimum, you need to ensure that:
- Employees adequately secure their devices, with passwords, and preferably two-factor authentication where possible.
- Employees understand what makes a strong password. Weak passwords are a major concern.
- Employees are educated when it comes to application usage, download/installation best practices and things to watch out for.
- Your policy is compliant with data protection and related laws.
- Best practices for lost/stolen devices are established. At a minimum, employees need to report stolen/lost devices to the appropriate people, so that action can be taken to minimise security risk.
- Employees are clear on what third-party usage is allows. Can employees let their kids use their phones? If they do, what do they need to ensure when doing so?
- Employees understand best practices for using insecure networks, in places like coffee shops.
Protect Organisation Applications
When your organisation develops its own applications to be used on employee-owned devices, security needs to be considered as priority. Security needs to be thought about both in terms of what security risks are posed by an employee using an application, but also what a non-trusted third party could do if they gained access to the device.
Your organisation needs to think about how its applications will be used, and also the risk posed by other applications on the same device that could access its data.
Restrict Local Storage of Confidential Data
Never store data locally on an employee's device, unless it's essential. When confidential data is stored on a user's device, make sure that it is appropriately encrypted, and unavailable to other applications.
Use Appropriate Security Software
Software providers like Good are developing numerous solutions to help companies manage the risk of BYOD. Some of the software your organisation should consider implementing include:
- Application wrapping/containerisation - This software ensures that any applications you develop are used in isolation on the end user's device, and prevents access to data from other applications. Application wrapping is vital for secure application development.
- Mobile content management - Secure content management solutions allow your organisation to determine how information is stored in the cloud, and how employees can interact with this information on their devices. Many solutions will also encrypt all data stored locally out of the box.
- Mobile identity & access management - Solutions can ensure that your employees have to use two-factor authentication to access secure data, and single sign-on to make logging into systems across multiple devices simple for employees.
BYOD can dramtically improve productivity within your organisation, but it's important not to forget the security risks all these devices impose. Think carefully about your organisation's BYOD strategy, and you'll minimise the risks to information security, whilst maximising the benefits.