Addressing Bring Your Own Device (BYOD) security

Posted on March 15, 2015 12:05 am

Mobile technology continues to redefine the way businesses and individuals operate,offering unparalleled and unprecedented levels of flexibility, collaboration and communication.Bring Your Own Device (BYOD) is one of them which has brought benefits for businesses such as enhancing productivity and as per studies conducted in United States a much higher employee satisfaction and cost reductions.However, it has also increased security risks and is now the biggest concerns around Bring Your Own Device. A recent survey of friends in technology sector most of them as senior security decision makers revealed that a majority fear device security as one of their top concern.For my friend working in Montreal Canada, BYOD can be a daunting prospect.I have argued about BYOD before.The idea of allowing employees to use their personal devices at work is revolutionary and as with any revolutionary idea, it will take some time to become accepted fully and is one of those resisting the idea despite pressure from his employer.

The issue is that all too often devices, and device security, are being used as an excuse for regressive and counterproductive IT policies and it doesn’t make sense as employees are already using their own devices at work, regardless of their businesses’ official policies on BYOD. Although BYOD introduces a variety of potential risks from security, policy perspectives, as well as end-user-privacy, addressing the security challenge of BYOD brings benefits.For businesses that choose a BYOD approach, the key to success lies in worrying less about the device. Device-centric approaches to security such as mobile device management can only ever solve the problems businesses have and they do not provide a scalable, flexible way of securing the enterprise for the future mobility.Last year, I noted BYOD is more than devices. Some of my top BYOD security issues are beyond the ability of software-management tools to handle.One of them is unlicensed software where the owner-installed applications on personal devices have been found to violate enterprise license agreements while others compromises integrity of users network.A well thought BYOD strategy should be based on a mix of the right company culture and a robust, enterprise-wide take on security. Business executives need to be able to have complete confidence in their IT department and the technology framework they have in place to secure employee devices.

The other main concern which has dominated my thinking is unsecured third-party connections in smartphones and tablets which can connect to unsecured wireless networks, offering an unmonitored back channel.Employees, need to ensure that their device cannot compromise the enterprise and that, conversely, their own private data cannot be viewed by anyone in the business but sadly thats not always the case.Devices can easily be infected outside the firewall through non-work usage. In business, trust is never given freely and traditionally it must be earned. In BYOD, it can only be earned through a robust security framework. The good news for businesses is that BYOD security does not need to be a leap into the unknown and nor does it need to involve investing in new, unproven niche security ‘solutions’.By gaining root access to mobile devices, users can bypass security restrictions and, in some cases, install rogue apps.When it comes to lost, stolen, or damaged devices, businesses can lose access to critical data and in addition to compromising local data, stolen devices can expose the entire network.

That can be solved through Identity management which allow organizations to simplify identity lifecycle management and secure access from any device for all enterprise resources within and beyond the firewall. Identity management allows organizations to easily extend the enterprise security layer to wherever the employee needs it to be.Businesses will thereby be able to trust BYOD devices every bit as much as corporately-owned ones due to the fact that the same robust authentication, sign-on and authorization processes are used.Training end users like Schools in East Africa about the content and ramifications of the employee service agreement and sharing best practices for data protection inside and outside of the office.Also, training the Help Desk to answer questions quickly, efficiently, and within the allowable legal scope created by the program. It is also critical to train developers to build secure data access and storage into their application code. If businesses and employees are to truly trust the use of personal devices in the workplace, there needs to be a strict separation between personal and private data. I strongly believe the key to securing the enterprise is to embrace a more holistic attitude to security that focuses on applications and identity. With this approach, businesses can rest assured they are protected, regardless of what devices are being used.

Contador Harrison