Once the ‘bring your own device’ (BYOD) genie left the bottle some years ago, it soon became obvious that it would be impossible to put it back in. End-users in love with their consumer smartphones, tablets and apps understandably wanted to extend their use into the workplace, while employers increasingly see the ‘choose your own device’ (CYOD) phenomenon as a smart way to increase productivity while retaining control over the device.
A report published early in 2015 demonstrates the trend only too well. Wearables, BYOD and IoT: Current and Future Plans in the Enterprise from Tech Pro Research revealed that almost three-quarters (74%) of organisations worldwide have now adopted BYOD or plan to do so within the next 12 months.
A study carried out by the same firm a year earlier shows a marked difference: just 44% of organisations allowed employees to use smartphones and tablets for work, while just 18% planned to roll out a BYOD policy.
So the advantages of BYOD are well-understood, but without the right policy in place it can also come at significant risk to corporate data. Lost or stolen devices could provide a backdoor direct into your company network that can then be exploited by criminals, while malfunctioning devices create a further risk to data security.
Wearable technology is the next challenge coming over the hill. In the same Tech Pro Research report published in 2015, fewer than one third (29%) had factored smartwatches or wristbands into their policies, with most companies admitting that they were ‘not sure yet’ how to deal with wearables.
Below are our recommendations on how to minimise the growing risks posed by BYOD and CYOD:
Keep a register of connected devices
As the IT team connects personal devices to the company network, they should also keep a record of the user and their device details. By maintaining a detailed register, companies can audit their company network regularly to detect unauthorised connections and resource usage.
Enforce on-device security
All smartphones and tablets come with passcode controls that restrict access. As part of an employer’s default BYOD agreement, staff should be expected to have the passcode enabled before they are granted access to corporate resources.
Use existing network tools more intelligently
Many common network tools and services have functions that make it easier to manage mobile devices. Microsoft Exchange can be used to perform remote data wipes on stolen devices for example. Companies can make full use of these tools to automate common mobile device management tasks and to manage network logons, for example.
Force VPN use
All devices now support VPN connectivity in the same way that laptops do. To ensure that data transferred to and from devices is secure in transit, make VPN set-up one of the initial provisioning tasks carried out during the deployment phase.
Investigate a proper MDM solution
Businesses that are serious about making BYOD a key part of their IT strategy should invest in a proper mobile device management (MDM) system. An MDM platform allows them to enrol devices, specify and enforce network access rights and even apply content filtering to keep staff focused on work-related activities. It can also be used to deploy specific, pre-approved apps related to job roles to try and prevent staff using unauthorised, untested apps that could be leaking corporate data.
Investigate enhanced security tools
For the ultimate data security, companies need a solution that can keep personal and corporate data and apps separate. Some device manufacturers have developed functionality allowing device owners to separate ‘work’ and ‘home’ apps and data.
There are now a handful of third party solutions that can perform a similar task on iOS and Android apps too. These solutions create a secure partition and force users to use company-approved apps for company-related tasks – this then avoids the danger of data leakage or theft by third-party apps.
As BYOD continues to gain traction in the enterprise and the use of new wearable technologies grow in popularity, security will continue to be a hot topic. With new European General Data Protection Regulation (GDPR) on its way, the time is right to investigate whether current policies governing employees’ own devices are fit for purpose.
Sourced from Paul Le Messurier, programme and operations manager, Kroll Ontrack