Advantages notwithstanding, there is a distinct security issue with implementing BYOD policies that allow work with, and a connection to, the organization's network. The risk here comes from multiple directions. Not only are personal devices more likely to be unsecured, but they also present a very real risk of data loss. A device that is lost or stolen because it's regularly taken off-premises, and indeed anywhere the owner desires, or is removed from service entirely after an abrupt employee departure, presents a much more serious risk than a company-owned device. It can be difficult to hold individual users accountable in such cases, and even the threat of legal action could potentially be lost on a disgruntled employee with no desire to return data present on a personal device.
Regardless, BYOD policies aren't going away anytime soon, and while many employers are still hesitant to adopt such policies, having a plan around their use can help to greatly mitigate the risk they represent.
It can often be better to allow such devices to be used, and properly secured with a strong policy than to disallow their use entirely.
Studies show that a third of all BYOD organizations suffered breaches as a result of those policies
A recent study by Verizon surveyed a number of security professionals to identify how mobile devices (and by extension, BYOD-style workplaces) affected organizational security. In the survey, 33% of companies said they underwent some kind of security breach, with the vast majority being considered serious.
Over 85% of those surveyed also acquiesced that mobile security risks were growing at a faster rate than other threats.
While those numbers shouldn't be terribly surprising to most security professionals, one important takeaway from the survey was that almost half (48%) of respondents said they made compromises to mobile security in order to secure business objectives. Put plainly, companies were willing to put themselves at risk from mobile threats if it meant meeting the bottom-line.
Even a basic level of security can make a huge difference
The study found that for many companies, the perception of preparedness may have held back their security standards. Even a basic level of security could have potentially prevented many disasters, but companies failed to follow through on a full security plan that included encryption, strong password management, and security testing.
The bottom line is that while BYOD and mobile computing for the workplace can be a security risk, the danger presented can be reduced to a manageable state that makes sense from a business standpoint. It doesn't take a sweeping security overhaul to implement a security-focused BYOD policy, and doing so can have huge benefits for certain organizations.
Good BYOD security starts with simple standards
Implementing a security policy for personal devices doesn't require revolutionary thinking, though it can demand some adaptive accommodations (more on that in a moment). Strong BYOD security often boils down to the very same common-sense best practices for security many organizations are already used to.
Wireless encryption is a must-have, and should already be in place for any organization that uses wireless connectivity. One special consideration for companies that make use of mobile devices (BYOD or not) would be to use a more enterprise-grade key-sharing standard that doesn't use PSK. Pre-shared key encryption presents a very real risk in an environment that sees constant connects/disconnects to the network, and utilizing something more robust is a must in an environment that allows BYOD in the workplace.
Good password practices that are enforced on a personal level are also a necessary step for security. Having users frequently change their passwords on their personal devices ensures that even if a device becomes lost or stolen, the likelihood of a data breach is relatively low.
Having a plan tailored to mobile computing is necessary
In addition to following good security practices, having a solution that fits well with mobile devices will help keep data secure. Using applications that can be remotely removed from a lost or stolen device will help ensure information doesn't fall into the wrong hands. Mandatory encryption software for any data that requires local storage on a personal device can also be used to add another layer of security to BYOD systems.
Having a way to categorize and track personal assets can also be useful. Some CMDB software has special allowances for BYOD options, giving asset management a method for tracking devices that aren't owned by the company itself. This can also provide an additional layer of security for lost, misplaced, or devices owned by those who have left the company.
Lastly, having a specific outline for what devices are okay for use, and regularly circulating guidelines for safe usage of personal devices can go a long way towards good security.
Ultimately BYOD security and policies aren't all that different from what's already in use
For the most part, implementing a BYOD policy can have huge benefits for many organizations, without the need for expensive and time-consuming security reforms. In many cases just using simple security procedures that are already in place for other devices can easily be slotted into BYOD policies without much adaptation required. It's often going to be worth the trade-off.
Just be sure to always have a cautious eye towards security and you should be fine.Updated Date: 27 March 2019, 07:45