Whether it’s the use of corporate or personal mobile devices in the workplace, and whether there’s a corporate bring your own device (BYOD) policy or not – mobile devices bring a hornet’s nest of security issues for IT departments to consider and address.
It is a two-part security issue, with a certain degree of overlap – and to ignore it (and to focus purely on corporate mobile devices) is definitely not in the best interest of your company. Some IT departments think that they can ban BYOD but, bar some extremely controlled work environments such as trading floors, it’s hard if not impossible to stop employees using personal mobile devices while at work.
If they haven’t done so already, IT departments need to wake up to the fact that Shadow IT, BYOD, or BYO-anything are here and here to stay. Also that they are not the work of maverick end users and ambitious cloud service providers, but instead the result of the IT department’s inability to meet stakeholder and end-user expectations of IT across usability, cost, service, and agility.
IT departments need to quickly change their IT thinking – to place more emphasis on how IT services are consumed and the associated employee expectations. This includes the need for: better IT services; better app design and delivery; more intelligent approaches to BYOD; and the need to (re)consider the security implications of mobility and the use of non-corporate devices in the workplace.
Addressing Common Mobile Security Issues
This is where we have the overlap between mobile security and BYOD security – there are a number of basic mobile security risks to address, starting with the device itself:
- Minimal access security. Not using a password or PIN, or using a password/PIN that can be easily cracked, through to not using superior access-based security options such as two-factor authentication.
- Unsecured ports. Without firewalls, mobile devices can be vulnerable to unwanted intrusion and the loss of sensitive corporate data.
- No security software. Neither pre-installed nor later added by the corporate IT organization or end users to protect the device, and its content, against spyware, malicious applications, and malware attacks.
- Software-based vulnerabilities. Out-of-date operating systems or mobile apps – due to updates and security patches not being applied in a timely fashion.
- Unencrypted data. Both on the device and for the transmission of sensitive data to and from the device.
- People-based risks. Negligent or uninformed acts ranging from losing the phone, through end users “modifying” their mobile devices, through acts such as “rooting,” to the use of unsecured public WiFi networks, with the former not guarded against corporate remote-wipe capabilities.
Plus, of course, the security risks spread beyond the device once connected to corporate networks and the corporate IT infrastructure. IT departments need to be addressing these risks through suitable IT and BYOD policies.
Addressing BYOD Security Concerns
Beyond taking actions to address the above – through security risk assessments, use and user policies, device-based policies, mobile device management (MDM) tools, and continual end-user education – there are a number of other possible actions. These include but are not limited to:
- Make BYOD the exception to the rule. This is a limitation program that only lets specific end-user roles use their personal devices on the corporate network, for example, 100% mobile users or senior executives. It doesn’t make BYOD safe but it can reduce the scope and attack surface. This, of course, doesn’t stop any given employee using their personal device for business work, or even their business device for personal use.
- Operate zero-trust networks. This is where the IT department adopts the policy of not trusting any device or “open” corporate network, such as those connecting to the Internet. Additionally, access to sensitive systems and data, such as HR applications, can be restricted to trusted (i.e. not BYOD) devices via secure identification mechanisms and network controls.
- Use mobile management approaches beyond traditional MDM. While MDM tools are already popular, there’s also a management approach that separates out the device, applications, and data. For mobile devices, such as laptops, the end user can self-install a virtual desktop to represent a trusted end-point on an untrusted device. There are very mature solutions on the market, even for smart phones, such that IT can support the trusted end-point but leave the end user to manage the rest of the device.
So, BYOD adds to the burden of IT security and this isn’t a future issue – it has already been here for a very long time.