If you are responsible for corporate IT security, you know what I’m talking about: the BYOD (bring your own device) trend is a challenge. If you’re not, let’s use Gartner.com’s definition of BYOD as “an alternative strategy allowing employees, business partners and other users to utilize a personally selected and purchased client device to execute enterprise applications and access data. Typically, it spans smartphones and tablets, but the strategy may also be used for PCs. It may include a subsidy.”
A BYOD Tidal Wave
Subsidy or not, the BYOD trend is a security headache, and potentially a security nightmare, for CEOs and corporate IT teams. One New York-based IT industry expert who writes for ZDNET, CNET and CBS News suggests that “by 2017, half of employers may impose a mandatory BYOD policy — requiring staffs to bring their own laptop, tablet and smartphone to work.” He also found that 38 percent of companies expect to stop providing workplace devices to staff by 2016. And with the numbers – and acceptability – of mobile or virtual employees rising, even in traditional business sectors, that figure isn’t surprising. What is surprising, however, is the high number of corporations and business leaders who simply aren’t prepared for this looming shift. Even British data officials and security watchdogs lamented recently about their countries employers’ “…laissez faire attitude” towards staff using their own devices in the workplace.
Gap in BYOD-Related Practices
- Seventy-five percent of enterprises surveyed were unable to meet eight out of 10 of their current top security requirements.
- Only 11 percent of employees are aware of the current level of enterprise control over their device.
- Ninety-one percent of businesses believe they have policies in place to protect against mobile security breaches.
- But almost half (48%) of employees already using their own device, are unaware these policies exist.
Here’s what worries me. There is a huge disconnect across the guidelines and practices corporate leaders believe they have in place, current capabilities that are actually ready for service, and what employees on the frontlines know (or in most cases, don’t know) about these policies. And while organizations can expect to see costs decline as they move away from providing in-house, desktop technology for employees, they should be prepared to invest heavily in their corresponding security systems and platforms.
BYOD and Security: Three Questions to Ask and Answer
If you are responsible for implementing your own BYOD policy, make sure you get answers to the following three questions:
- What devices are on your network?
- What are those devices accessing or attempting to access?
- Is there an operational need for access?
Data Protection: A Few Anti-BYOD Tips
Next, use the information you glean from these questions to establish strong mobile device management practices. Here are a few examples of these:
- Policies and Awareness: Make these clear and actionable. Require employees to sign statements confirming they have reviewed these and will comply with them. Champion the issue periodically through several communication channels. And place your emphasis on both educating your users about the risks to the organization of BYOD compliance violations as well as the policies restricting their use.
- Password Management: Consider having these mirror your business policies – even for device access (screen lock).
- Monitoring: Use screening filters for mobile devices.
- Operational Security (OPSEC) Training for Employees: This includes guidance on prudent work practices such as knowing their surroundings, and taking care to ensure that they are connecting only to known networks and hotspots.
Digital data protection is of the utmost importance in today’s business world, and it’s nothing to scrimp on. Be prepared to spend a little money, to save a little money. You, your clients, and customers will be glad you did.