BYOD has now become so prevalent that 29 per cent of UK secondary schools are now operating some sort of BYOD policy including asking students to bring their own devices. While the enterprise world has been talking about BYOD for years, it's this kind of mainstream use that confirms BYOD as a way of life, and of business. While there are clear benefits in terms of productivity for example, unfortunately, security still remains a key concern. In order to take advantage of the potential benefits and avoid the security risks, organisations need to do three core things - develop a robust BYOD policy, choose the right security technology, and support the people using it.
Step 1: Formulate a robust BYOD policy
There are many technical aspects that enterprises need to consider with BYOD but before creating a BYOD policy should be the first priority. Failure to start with the policy itself could result in deployment of technologies that simply aren't fit for your business's needs. The first aspect of building your BYOD policy is ensuring that you're compliant with industry regulations especially within the healthcare, financial services or public sectors. The second aspect of the policy is about ensuring employees get access to the underlying application and business processes they need to be productive. Finally, in order for a policy to be effective, it needs to be backed up by enforcement and management tools - this is where Enterprise Mobility Management (EMM) comes in.
EMM is helpful for dealing with issues such as lost, stolen or misused devices while it can also help define what can be enforced within a BYOD policy and even what to do when an employee leaves. EMM solutions that use container security fully separates enterprise and employee data, apps, communications and networking, so the enterprise has complete governance over corporate information on a device BYOD without infringing on the user's privacy. BYOD is often talked about from the enterprise's perspective but it's just as important to ensure the end user's privacy as the enterprise's corporate data security.
Step 2: Make clever technology decisions
Once you've devised a robust BYOD policy, it's time to turn your attention to technology. For this, there are three main areas that you need to focus on - the devices, the applications, and access to your network.
Everyone has favourite brands so there will undoubtedly be pressure to support all devices within a BYOD policy but the reality is that many organisations will look at the resources available to the IT department and choose to only support iOS or Android devices, for example. Supporting such an array of mobile devices is relatively new for an IT department in this post-Blackberry era. Traditionally, they are used to supporting operating systems (OS) like Microsoft Windows, which releases software updates every few years. In comparison, mobile devices have various operating systems depending on their given manufacturer and software updates are released every few months rather than years. This presents a very different challenge and it's important to recognise this in order to make a balanced decision as to what devices will be included.
Applications: Risk v productivity
There's no doubt that employees need access to mobile applications, such as email, browser, collaboration tools, document management, and remote desktop access in order to maintain productivity levels but it's important to understand that with each application, comes additional risk. According to FireEye, in the 2015 Data Breach Investigations Report by Verizon, from investigating over 7 million mobile apps, 96 per cent of mobile malware was targeted at the Android platform. It was also found that more than 5 billion downloaded Android apps were vulnerable to remote attacks in particular. A successful BYOD deployment needs to address the risks that these applications present to the IT infrastructure.
The question of access
Each of these devices and applications presents a risk to the network. Organisations who are serious about adopting BYOD, must implement a robust SSL VPN and Network Access Control (NAC) solution to protect the enterprise network. Role-based, application level security policy enforcement will allow enterprises to manage and monitor mobile device sessions on-premises network as well as over secure VPN. Another risk, sometimes overlooked, is guests, visitors and business partners who bring their own devices and expect access to your network, or your WiFi at least. A NAC solution can grant guest access and allow your employees to share data without compromising your network.
Step 3: People
When all said and done, it's people who will ultimately be using these technologies and, hopefully, abiding by these policies so ease of use should be a prime consideration when deployed BYOD. One of the biggest reasons why BYOD fails is because it's too complex; if it's too difficult or slow to connect a device correctly, users will simply find unsecured workarounds. The fact that human error is the chief cause of data breaches only bolsters this argument for ease-of-use.
In just two years time, the EU GDPR will come into force which means enterprises can be fined up to 4 per cent of global annual turnover in the event of a data breach. To avoid this, enterprises need employees on their side but this is not an overnight process, they need to provide ample training for employees who are using their own devices in the workplace and create a culture of responsibility around mobile data. Failing to do so will likely result in an unsuccessful BYOD implementation which, in turn, leaves the door wide open for data breaches.
Adam Jaques is Senior Director of Corporate Marketing at Pulse Secure