Look at risk before leaping into BYOD, report cautions

Risk management critical to skirting pitfalls of permitting personal devices in the office

Before rushing into allowing employees to do their jobs on their personal devices, organizations need to diligently address the unique risks of that practice, cautioned a report by an international cybersecurity information organization.

When businesses push Bring Your Own Device (BYOD) programs into place too quickly, risk management is often neglected or rushed, leaving organizations with both unknown and unnecessary risks, the Information Security Forum reported on Tuesday.

For organizations to be successful in the era of mobile devices in the workplace, risk management must be the foundation of any BYOD program, the report added.Ã'Â

"The use of personal devices to store and process sensitive information continues to rapidly affect the way we do business," ISF CEO Michael de Crespigny said in a statement.

"At the same time," he said, "it means organizations are easily exposed to new and more complex threats from stolen, lost or destroyed data, malware and other attacks if the device is not securely used and protected."

Personal devices can be challenging for IT departments because they may be used in ways that wouldn't be allowed if the device were owned by the company.

"By putting the right business practices and usage policies in place now, organizations will benefit greatly from the flexibility, increased productivity and reduced costs that mobile devices can bring to today's workplace, while minimizing exposure to potential security risks," de Crespigny said.

IT may be accused of currying favor with usersÃ'Â at the expense of risk management, but BYOD is a new world for them, too. "It's a completely new shift in how they have to be thinking about their end users," Ã'Â said Gregg Ostrowski, senior director for enterprise developer and tech partnerships at BlackBerry.

[Joan Goodchild in Leading Edge: Should security be responsible for BYOD policy?]

BYOD also opens up issues that requires IT planners to reach beyond their bailiwick's walls. "You have to involve human resources and legal in the process," Tenable's CEO, Ron Gula, said in an interview.

"If you're going to put any technology on any device that you don't control, and you don't think you're not going to create some liability for your company, you're wrong," Gula said.

Any BYOD management program, however -- even one weak on risk management -- may be better than no program at all. "There isn't an option for companies not to have a mobile strategy," said Caleb Barlow, an application, data and mobile security director for IBM.

"Not having a mobile strategy just means your information is going to leak out of mobile devices outside your control," Barlow said.

Still, it's estimated that anywhere between 60 and 80 percent of companies have no formal BYOD policy.

"It doesn't matter if it's 60 or 80 -- there's a lot of companies that don't have formal BYOD programs today, yet their employees are using their phones and tablets for work, and the IT department doesn't know it or chooses to ignore it," said Anders Lofgren, director of mobility solutions at Acronis.

"The reality is, if you don't have a program in place, your employees are still going to be using their phones and tablets at work," Lofgren said. "You're just not going to have any insight or visibility into it."

Although the ISF is urging companies not to rush into BYOD, that advice may be difficult to heed. "Companies have had no choice with offering BYOD support or access to their employees," said Skybox Security's Vice President, Michelle Cobb.

"The old IT joke about 'How do you protect your employees from the Internet? Unplug it.' can't be applied here," Cobb told CSOonline. "BYOD offers such value to organizations' and employees' productivity, you can't ignore it."

Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationssecuritymobile securitysoftwareData Protection | WirelessIT managementdata protectionconsumerization of ITBYOD

More about Acronis ANZBlackBerryIBM AustraliaSkybox Security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello Jr.

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place