Is BYOD the right call?
"Bring your own device" isn't a fad, so plan accordingly
By Jim Rhodes
You're not imagining it. More and more employees are bringing their personal smartphones and tablets into the workplace.
Since the introduction of the iPhone in 2007, consumer devices have slowly made their way into the office environment. At first, IT departments were able to fend off individual preference by citing security concerns. But once the popularity of iPhone and Android-powered gadgets soared, administrators felt the pressure to address the Bring Your Own Device (BYOD) phenomenon head on.
According to Gartner, an estimated 66% of mobile workers will have a smartphone by 2016. The benefit of allowing consumer devices into the workplace can be compelling for those who monitor the bottom line. There is no cash outlay to purchase hardware, and the employee is responsible for the contract, insurance, operating system updates, replacements and upgrades. That said, consumer devices are not completely cost-free since many organizations choose to pay a stipend or offer partial reimbursement for the monthly expense.
So, what then are the pitfalls of BYOD? Here's one example: A company owner decides to let one of her employees go. But first, she wants to make sure corporate data is removed from that employee's smartphone before his exit. Unfortunately, the owner does not have a corporate policy in place that allows access to the employee's personal device. Even if she did, the only way to remove corporate data is by wiping the device, or deleting all personal data right along with the corporate files.
Business owners and IT administrators should take a few things into consideration before deploying a BYOD solution. Today's operating systems and fragmentation of the market are not going to make the job any easier, but with a well-thought-out plan, they can avoid disasters.
The first step is to identify situations where company data could be at risk. The obvious scenario here would be loss or theft of a device. Other, less commonly thought of security breaches include:
• Personal Web browsing that leads to malicious sites
• Clicking links from unknown sources in personal e-mail accounts
• Installing malicious applications
• Rooting (jailbreaking) the device
• Installing custom ROMs
• Using the device on public Wi-Fi connections
The second step is to mitigate the risk associated with adding personal devices to the corporate network. Approach this step with two basic assumptions. First, assume that sensitive information about your company will be stored on an employee's personal device. Second, assume it is impossible to have complete control of the device.
Unfortunately, there is no "silver bullet" solution that addresses every situation or covers every mobile operating system, but there are helpful guidelines.
• To enforce security policies, IT needs to be able to manage devices remotely. If you are going to grant access for multiple mobile operating systems, you may need more than one mobile device management solution. Some solutions will allow more control of the device than others. For instance, Microsoft Exchange ActiveSync and BlackBerry Enterprise Server allow more options to lock down the device as a whole. Other options, such as Divide or Good use a containerization approach where a suite of business apps is the only thing that is managed, leaving the user's personal data untouched.
• Require a passcode to unlock a device (or at least business apps/data). This step should not be optional for anyone. Leaving a device unlocked is the same as leaving the bank vault and front doors open after everyone has gone home for the day.
• Enable on-device encryption. A passcode does not offer complete protection for stored data.
• Use secure connections (e.g., HTTPS, VPN) when connecting to company resources. This will protect data when using an unfamiliar network, such as public Wi-Fi.
• Block downloading apps from unknown sources. Although not perfect, official marketplaces do have processes in place to weed out malicious applications.
• Consider creating an approved-device list. Some devices do not allow for the enforcement for some of the policies mentioned above. Give careful consideration to allowing devices that have been rooted (jailbroken). These devices have had the permissions level for the user elevated to where they can modify parts of the operating system that are normally protected. A rogue app can exploit this and access sensitive data.
• Consider using a cloud storage solution for company data, when possible. This will make backups easier and minimize the impact of a lost or stolen device.
Once you have identified the risks and decided which options best mitigate them, it is time to put a formal corporate policy in writing. A clear and concise mobile device security plan will also set employee expectations. Make sure the plan identifies which devices are supported and the procedures in place to protect corporate data. This should include any mobile device management software that needs to be installed and the consequences if it is uninstalled without permission. The plan should also address how business data will be backed up, while clearly spelling out that it is not the company's responsibility to back up employees' personal data.
Finally, your mobile device security plan should explain the use of remote wiping, or deleting all personal data right along with corporate files in the event of device theft or loss. Mobile technology is evolving, so make it a point to revisit your security policy regularly and update the content as needed.
The trend of employees wanting to use their personal devices in the office is not going away anytime soon. That's why business owners and IT administrators must remain vigilant about their BYOD solution and avoid becoming the Bring Your Own Disaster environment. n
Jim Rhodes is the supervisor of the mobile solutions team at AppRiver. The team specializes in providing ActiveSync and BlackBerry device support to a growing global hosted Exchange customer base. He has over 12 years of experience in the IT industry, serves on the board of directors for IT Gulf Coast, and is a regular contributor to AppRiver's company blog.