BYOD’s “Circle of Risk”
- 13 January, 2015 12:57
Mobile technology has redefined the way businesses operate, unleashing unprecedented levels of flexibility, collaboration and communication.
Increasingly, Bring Your Own Device (BYOD) policies are the norm in workplaces around Australia, with research showing adoption of the scheme reaching a critical tipping point with around two-thirds of Australian enterprises now allowing staff to use personal devices for work .
However, while BYOD policies have the potential to usher in new benefits for businesses such as productivity gains, higher employee satisfaction and cost reductions, it also increases security risks.
Results from a Good Technology Mid-Market Mobility Trends Survey showed that 50 per cent of organisations with formal BYOD schemes have more security concerns than those without . The reason for this being that BYOD introduces a variety of potential risks from security, policy perspectives, as well as end-user-privacy. Mobile device management (MDM), which is usually implemented by businesses with the use of employee-owned devices, is anti-BYOD by design. MDM products can only lock down various features and functions of a particular device and conduct inventory of all the apps the end-user has installed. It does not add any additional layers of security on top of what the underlying device operating system provides.
The limitations of MDM as a sole source solution to network security means BYOD programs are exposed to threats from multiple angles, which can be referred to as the “Circle of Risk”.
Device based risk
Firstly within the “Circle of Risk” there is device-based risk. This refers to the transformation over the past several years, where manufacturers have delivered world-class consumer products that have provided users with more power and freedom to share information than they have ever had on mobile devices before. Unfortunately, this also means potentially syncing corporate data to consumer outlets (e.g. syncing corporate content to iCloud, LinkedIn etc.). Enterprise security teams are struggling to keep up with this innovative and powerful consumer functionality and as a result, enterprise data is in regular jeopardy of being leaked.
User based risk
Secondly, there is user-based risk. This refers to end-users who look for ways to take advantage of the same tools they use in their personal lives for work-related tasks, including syncing their work material to iCloud or personal Dropbox accounts for example. Without restrictions in place, employees could use storage services such as these to house sensitive company data, which could pose a leakage risk.
Enterprise based risk
Finally, enterprise based risk refers to users seeking workarounds because the IT department is unwilling to meet user demands around flexibility. Businesses often find that if it does not offer a solution to appease its employees in some capacity, staff will often find their own way. For example, employees may begin forwarding work emails to personal email accounts in order to bypass restrictions imposed by the organisation.
Despite these challenges, there are ways to mitigate this “Circle of Risk”. Businesses should adopt security strategies using a layered approach that incorporates ‘containerisation’ as well as policy and end-user education.
Containerisation technology allows for the isolation of personal data from enterprise data on employee-owned devices and can be used in conjunction with MDM tools. As an alternative to taking an all-or-nothing approach in locking down a device (using MDM alone) and setting device-wide restrictions for things such as complex device passwords or restricting Siri and iCloud for example, the containerisation model includes its own security, application level, policy and control and restrictions. This allows IT teams to deploy corporate apps to BYOD end-users, helping them protect corporate data and not just manage the device.
The end user is often the weakest link in any security model, and educating employees on cyber security is just as critical as the technology being deployed across the organisation. Enterprise security strategies should be designed with a consistent end-user policy around how corporate devices, or corporate apps on personal devices are utilised. Effective end-user training is one of the most powerful security tools an enterprise could deploy. Educating the end-user not only helps protect corporate data, but also helps them in their personal lives because cyber security threats, specifically around smartphones and tablets, are only going to grow and become more sophisticated in the years to come.
This article is brought to you by Enex TestLab, content directors for CSO Australia.
Upcoming IT Security Events
Feb 3rd, Feb 4th, Feb 6th 2015
Join @NirZuk #PaloAltoNetworks for Breakfast (lunch in Auckland) on keeping your enterprise safe from risk. Cyber attacks continue to increase in volume and sophistication leaving traditional security practices completely ineffective.
March 3rd, March 5th, March 9th 2015
Join CSO for the day@#csoperspectives and hear from @kimzetter @frankheidt
3 International Keynote speakers, 36 Key IT Security Industry Speaker, 21 Exhibitors, Security Analysts and many more.. Register today
Dont miss one of the biggest IT Security events in ANZ (registration is free, but seats are limited)