The concept of Bring Your Own Device (BYOD) is now becoming a rule than exception in today's workplace. In a recent survey by Gartner, 70% respondents said they either already have or are planning to introduce BYOD policies in the next 12 months.
While there are several benefits associated with allowing users to bring in their own personal devices, there are some concerns as well. The topmost BYOD concern is security. Employees are not only bringing their own devices, but launching their own network services, a potentially severe threat. Other challenges include:
- Uncontrolled Access to the network, both in terms of what information is accessed and retrieved, and what happens to that information if a device is lost or stolen.
- Lack of Application Security controls resulting in potentially huge data losses.
- Device Support: Managing large device stacks in terms of tracking and controlling access requires considerable effort.
- Impact on Data Privacy: Both enterprise-sensitive information as well as confidential customer information can be compromised easily.
- Malware infections or phishing scam scan lead to unauthorized access to the enterprise network.
Despite these security issues, almost 80% of today's BYOD activity remains inadequately managed. In fact, a Gartner study reports that only a small 33% of organizations surveyed have policies in place to address BYOD-related issues.
The answer lies not in abandoning the BYOD initiative as some have, but in setting up proper security measures. For an effective BYOD implementation, enterprises must follow a five-step process that comprehensively covers information security and privacy issues.
- Identify the need:
- Use employee surveys to identify the type of mobile applications employees use
- Identify the need and type of devices that employees tend to use
- Assess the security and risk issues:
- Identify data security and privacy issues through a detailed risk assessment on all identified categories of devices
- Review the current capability of dealing with the issues involved and adequacy of existing controls
- Gap analysis:
- Assess and analyze gaps
- Analyze control requirements to determine risk mitigation strategies
- Do a cost/benefit analysis
- Finalize the plan and develop BYOD policy and set up a process:
- Finalize on the coverage in terms of what is allowed/disallowed
- Develop a policy to promote only company-approved devices
- Set up "acceptable use" policy
- Create and maintain the repository of allowed devices tagged with unique IDs
- Communicate and harden the devices:
- Communicate and promote the BYOD policy
- Harden the devices to ensure that unknown or third party applications are not used in an unauthorized manner
While nothing can completely protect enterprise data from a determined, deliberate attack, the above steps will help enhancing employees' productivity on their preferred devices, without compromising on security. Do you agree? I would love to hear from you on your experience with this trend.