Connecting into BYOD Security
Written by Kristin Ziska
Preparing for work in the morning, many people don’t think twice about checking their email or work calendar on their smartphones before heading off to the office. For many, preparation for the next day includes reviewing documents on their personal tablet as they watch TV on their couch or running through a meeting’s important ideas as they sit in a vendor’s waiting room. Using a personally owned device to access business information poses some serious risks and some fantastic benefits that companies need to think about and weigh as they decide how to deal with the Bring Your Own Device (BYOD) movement.
BYOD has been defined as “use of employee-owned mobile devices such as smartphones and tablets to access business enterprise content or networks” (Long, n.d.). According to Dimensional Research (2013), over ninety percent of individuals surveyed have a mobile device connected to the company network. Individuals choose to use personal mobile devices for multiple reasons: brand preference, operating system preference, lack of corporate supply, and convenience. No matter their reasoning, individuals utilizing personal technology for entity business have solidified itself into modern corporate culture and must be addressed by information security policy.
The number of personal devices being connected to company networks and used to access company information is steadily increasing. This means that companies, as they are reviewing their information security policies, will need to take BYOD users into account. Companies will need to realize that they may become a part of the 79% of the companies Dimensional Research (2013) surveyed that had mobile incidents. These policies are imperative as “employers may be concerned with protecting their reputation or brand integrity. They may also need to protect proprietary information, trade secrets, or other confidential information” (Privacy Rights Clearinghouse, 2014).
Challenges that are unique to BYOD devices are as varied as the devices being connected. Issues include reduced security due to jailbreaking, bypassed restrictions, adware/spyware, increased appearance of malware, use of cloud-based storage, lack of attention to user agreements, failure to complete security updates, and loss or theft of the device. Even the user itself can be considered an issue as a mobile device allows them to take information and share it willingly with competitors and outsiders. These issues leave human resource, financial, privileged, proprietary, and client/marking information open to compromise (Privacy Rights Clearinghouse, 2014) (Phneah, 2014) (Shacklett, 2012) (Westervelt, 2013).
Policymakers asking some simple questions will enable them to avoid these issues. What data do they want allowed on private devices? What type of encryption do they want to enforce? How do they want the information stored on private devices? How should the information be transferred? Once these questions are answered, the policymaking will have direction and will answer the main issues with BYOD situations (Long, n.d.).
BYOD agreements, which can be implemented as a separate policy or as a part of an employment agreement, should include several key ideas. One main idea is to give the user the responsibility to keep software updated and device in good repair to minimize security risks and place the financial strain of this upon the individual user. The entity should have the ability to approve or disapprove apps, and the user would be responsible for the removal of disapproved apps upon request by the entity. Entities should have the ability to disallow access to the network for jailbroken devices and devices with disapproved apps. Most of all, the policy agreement should outline specific consequences for breaking the agreement (Phifer, 2013).
BYOD situations are a fantastic opportunity for individuals to utilize technology that they are comfortable with to increase production and continue to stay on top of the ever-changing technological climate. Companies can easily embrace the benefits of this situation by taking the necessary steps and asking the tough questions to create policies that are resilient to keep up with advances and non-imposing enough to be followed by employees without undue duress. As mobile technology advances, it will be up to the company policymakers to ensure that data is protected and secured, which begins with individual information security awareness.
Dimensional Research. (2013, June). The Impact of Mobile Devices on Information Security: A Survey of IT Professionals. Retrieved from http://www.checkpoint.com/downloads/products/check-point-mobile-security-survey-report2013.pdf
Long, W. (n.d.). BYOD: data protection and information security issues. Retrieved from http://www.computerweekly.com/opinion/BYOD-data-protection-and-information-security-issues
Phifer, L. (2013, January). BYOD security strategies: Balancing BYOD risks and rewards. Retrieved from http://searchsecurity.techtarget.com/feature/BYOD-security-strategies-Balancing-BYOD-risks-and-rewards
Phneah, E. (2014, February 4). Five security risks of moving data in BYOD era | ZDNet. Retrieved from http://www.zdnet.com/five-security-risks-of-moving-data-in-byod-era-7000010665/
Privacy Rights Clearinghouse. (2014, October). Bring Your Own Device . . . at Your Own Risk | Privacy Rights Clearinghouse. Retrieved November 15, 2014, from https://www.privacyrights.org/bring-your-own-device-risks
Shacklett, M. (2012, August 20). 10 BYOD concerns that go beyond security issues – TechRepublic. Retrieved from http://www.techrepublic.com/blog/10-things/10-byod-concerns-that-go-beyond-security-issues/
Westervelt, R. (2013, July 26). Top 10 BYOD Risks Facing The Enterprise – Page: 2 | CRN. Retrieved from http://www.crn.com/slide-shows/security/240157796/top-10-byod-risks-facing-the-enterprise.htm/pgno/0/1