Bringing your own device can occur under the radar or become part of a particular corporate policy in which an organization lends its support to personal mobile devices or even provides a stipend to employees enabling them to purchase a device that could include laptops, smartphones, and tablet PCs.
History of BYOD
It was only in 2010 that BYOD became much more mainstream even though the term was initially introduced in 2009. With personal devices flooding the workplace, CIOs started to feel the pressure and it was during this time that Android was beginning to pick up steam and the first iPad was launched in the market. Thus, an increasing number of tablets and smartphones were now used in workplaces and IT was continuing to allow Bring Your Own Device without offering much support. Many businesses even started blocking personal devices from their mail servers and network. iOS 4 was launched in 2010, providing the first API's to handle mobile devices. IT and organizations now started to understand that they couldn't ignore Bring Your Own Device forever.
In 2011, BYOD programs and official support were introduced into the workplace at a much faster rate. Company executives were beginning to feel comfortable typing on touchscreen keyboards, and the enterprise mobility market was also rapidly shifting.
Even though IT's challenge was still focused on securing the device, they experienced the first real concerns around data leakage and security in 2012. Users were now greatly concerned about their privacy. Businesses were focused on clearly communicating BYOD policies to concerned users while continuing to work towards understanding the security and privacy implications. There was thus an increase in the demand for Mobile Device Management (MDM) solutions.
Bring Your Own Device thus brought a change in the way organizations provided access to their computer networks. Traditionally, the IT department of a school or business would build closed networks that could be accessed only by the computers they owned. Students and employees will be able to link their own smartphones, tablets, and computers to more open networks.
The BYOD movement was triggered by the exploding popularity of tablets and smartphones together with lower costs of laptop computers. Individuals who earlier depended on organizations to issue them hardware for work can now own devices that are capable enough to do the same work.
Why BYOD Security? – Understanding Bring Your Own Device Security Risks
Malware: When employees start bringing in their own devices to their workplaces, nothing much is known about the device. These devices could get be at risk from malware and other cybersecurity risks that didn't originate within the company as the employees also use these devices for their personal needs. The risk of BYOD users bringing their malware with them is thus a major concern for IT security managers.
Data exfiltration: Besides the risk of introducing malware into a corporate environment, Bring Your Own Device can also bring about data loss or leakage. With unmanaged BYOD devices, a user that gets unfettered access to a corporate network will be able to take whatever they have access to and bring it with them outside the company. That particular device could even be stolen or lost.
Hardware: With corporate-provisioned devices, the company gets direct control over the specific phone hardware choice, and it has frequently been vetted to meet corporate compliance requirements. The phones and other devices provided by companies to their employees are typically provisioned with default configurations capable of meeting corporate policies.
How to Mitigate BYOD Risks in Businesses?
With the BYOD concept evolving into an unstoppable force across the business landscape, managing what can be a host of mobile devices is now a vital consideration for all enterprises.
With a growing fleet of mobile devices, businesses now need a platform enabling high levels of oversight and solid data protection. A MDM system has become essential for tracking mobile device usage and it also has the potential to wipe devices if they get lost or stolen.
Organizations can adopt a number of measures that help mitigate BYOD risks. Some of these measures include:
Remote wipe refers to the concept of remotely deleting data from a device. This includes overwriting stored data in order to avoid forensic recovery and returning the device to its original factory settings so that any data ever on it becomes inaccessible to anyone.
It is essential for organizations to understand their own requirements for data protection. This is particularly true in regulated environments where there may be compliance requirements, and compile a risk profile. For example, international deployment and compliance requirements are two situations in which Bring Your Own Device risk levels are specifically high.
It is important to update browsers, operating systems, and other applications frequently with the most recent security patches. Staying up-to-date guarantees that the devices of employees leaving the company are suitably wiped of corporate data. If this does not take place then there could be a breach of data well into the future.
Limiting access to enterprise data based on the nature of an employee's job role is always considered to be a good idea.
All companies should adopt a strict device tracking policy. This will help them to constantly be aware of the whereabouts of all company devices whether in use or not. It is also good to implement a surveillance system capable of monitoring all devices entering and leaving company premises. Visitors' devices should also be included in the surveillance system.
Key benefits to operating a BYOD strategy in an organization are discussed below:
People mostly tend to be familiar with their own devices. For instance, Apple fans are very familiar with Apple technology and Windows fans are good with devices running on Windows operating systems. Employees could actually get frustrated while trying to get used to a totally different device. This issue is eradicated by Bring Your Own Device, which allows employees to work using their own personalized devices, which meet all their own needs and enables employees to be perfectly competent in their jobs.
Bring Your Own Device allowing employees in an organization to use just one device prevents them from traveling with several devices in order to satisfy their work and home needs, as the one device will fulfill both. With employees having access to all of the data they need anywhere they want, they will be able to work normally from anywhere just as how they function in the office. These employees do not get disturbed by the strict rules that they have to adhere to when using company property. Bring Your Own Device thus allows greater freedom to the employees.
Companies using BYOD can actually save huge amounts of money as they don't have to purchase costly devices for their employees to be able to do eLearning, for instance. Eventually, wastage and breakages could also be reduced since the employees ensure to take better care of their own equipment than company-owned devices as any repair costs could become the employee's burden.
Increased productivity and innovation
Bring Your Own Device helps create a positive correlation between the comfort-level of employees and their productivity. By using their own devices, employees get comfortable and hence master their use. These devices are mostly available with the newest technologies, thus proving to be beneficial to the enterprise.
Allowing employees to utilize BYOD in the workplace could result in a number of security risks associated with:
Lack of antivirus or firewall software
When utilizing their own devices in the workplace, employees should always be encouraged to update firewall and antivirus software regularly. Failing to do so can actually create weak networks and holes in systems.
Accessing unsecured Wi-Fi
Employees generally use their devices outside the workplace and are hence likely to access unsecured Wi-Fi connections at coffee shops, stores, airports, or even their own home. Networks that are not secured can actually provide hackers with easy access to the company's networks or systems.
Stolen or lost devices
If devices with company data are lost, misplaced or stolen, this could help unwanted third-party individuals to obtain access to vital information of your business. This mostly takes place when devices are not secured with passcodes or passwords.
People leaving the company
Ex-employees could gain unauthorized access to systems after they abruptly leave the company. This happens because you may not have the time to wipe devices clean of company information and passwords when employees suddenly decide to quit.
All these risks pose a threat to the company's sensitive and critical data when proper precautions are not adopted. Hence, prior to implementing a BYOD policy at your business, you will have to come up with a security plan outlining regulations employees will have to follow. Educating employees about the significance of these regulations is extremely necessary in order to prevent data from getting compromised.
Insurance Implications of BYOD
It is possible for business data to become vulnerable to hackers despite the fact that the best security practices, measures, and policies are in place. This is the point where cyber liability insurance comes into play.
Insurers must develop services and products customized to meet the particular needs of data privacy pertaining to companies and their employees. To achieve this, the insurance industry will have to stay ahead of the curve in order to guarantee that products are up-to-date with Bring Your Own Device trends and new areas of exposure, such as who is responsible for resulting losses and stolen data, even if devices are compromised in places outside the workplace.
Insurers have a thorough understanding of the concerns and risks associated with Bring Your Own Device and can thus come up with specific pain points and provide the necessary protection required by commercial customers. It is also essential for insurers and companies to understand the unique risks related to BYOD in order to provide correct coverage if in case vital information gets compromised.
Securing a BYOD program can take several different forms, involving varied types of technologies and policies.
Network Access Control (NAC): Controlling access to corporate networks and resources is considered to be the most basic foundational level. In the modern threat landscape, allowing any device to connect to a corporate network, without any validation or control is, in fact, a recipe for disaster.
Mobile Device Management (MDM): Enrolling hardware devices in an MDM platform allows organizations to track and have a degree of management over devices accessing a network.
How to Establish an Effective BYOD Policy
If you have an outdated policy, or if you are in the process of developing a corporate Bring Your Own Device policy, or yet to develop a policy, then consider the tips given below in order to address IT service, application use, security, and several other components:
Specify the devices that will be permitted
Generally, people who had a blackberry used the same device for work. However, employees are now pampered with a wide variety of devices ranging from iOS-based mobiles to Android phones. It is always important to specify what exactly is meant by ‘bring your own device'. You will have to clarify what devices are acceptable by the enterprise, and what devices can be used.
Set up a firm security policy for all devices that enter the premises
Device users usually refuse to move to lock screens and passwords on their personal devices. They hurdle towards the ease of access to the content and the functions on their device. This indeed is not a very valid complaint. A lot of sensitive information can be accessed once phones and other devices are connected to the corporate servers. If employees desire to adopt the Bring Your Own Device initiative, they will have to be willing to configure their devices with strong passwords for protection. A lengthy alphabetical password needs to be placed instead of just a simple four-digit one.
Define a clear service policy for devices under BYOD criteria
When it comes to resolving problems and questions about employees' personal devices, there are indeed a number of boundaries that the management will have to set. To implement this, policy-makers will have to answer the questions like:
What will be the policies for support on personally owned applications? What support will be provided for devices that are damaged? Will you restrict Helpdesk to ticketing problems with calendaring, email, and other personal information management-type applications?
Clear communication should be given on who owns what apps and data
Questions must be asked as to whether the BYOD policy that is developed will permit the wiping of the entire device that is brought into the network. If so, employees will have to be provided with distinct guidance on how to secure their devices and also back up the information in order to restore it once the device is replaced or retrieved.
What apps will be allowed and what banned?
This rule must apply to any device that can connect to organization servers, personal or corporate. The key considerations will cover the application for replacement email applications, VPNs, and social media browsing, or other remote access software. The question that arises here is whether users will be able to download, install, and make use of applications that could cause security issues or legal risks on the device that has access to highly sensitive corporate resources.
Setting up an employee exit strategy
Finally, consider what will happen when an employee leaves the organization with a device allowed under the BYOD policy. How will management implement the removal of all access token, email accesses, data, and other proprietary information and applications? This is not simple. It is not possible for employees to just return a corporate-issued phone. A number of companies solve this issue by not allowing access to corporate emails or to synchronization access as part of an exit interview and checklists of the HR. However, heavily security-conscious ones attempt to execute a BYOD-enabled wipe as a compulsory exit strategy.
BYOD Mobile Security
The speedy proliferation of user- and corporate-owned devices in the workplace points out that organizations need to strengthen their support infrastructure now. MDM is considered to be the main software solution ideal for securing and managing your company's applications and data that are used on the mobile endpoint devices that go in and out of your organization. MDM platforms offer a main interface allowing you to interact with the data present on your company's devices and also your employee's personal devices, which are usually enrolled in the platform when they are hired.
BYOD policies have been a money saver for companies that need its employees to be mobile. In the entire process of adopting employee-owned devices, understanding Bring Your Own Device and its impact on an existing organization and infrastructure is a critical milestone as it will permit a business to make the best use of cloud computers, superphones, tablets, and smartphones.
Given below are some of the best practices when it comes to BYOD and security concerns:
Policy review: Currently prevailing policies may need tweaking, however, there should be a clear path toward applying existing policies to the mobile app and device world as well.
Evaluation of MDM: MDM software is capable of solving a number of your security issues, but will need time to be evaluated properly.
Set realistic expectations: Using a mobile device for personal purposes is extremely different from using a mobile device within an organization. Employees using BYOD will have to accept compromise and also accept the fact that their organization's security is extremely important.
Platform support: The mobile platform environment is greatly fragmented. You will have to remember that specific devices outside Apple's iPhone/iPad may support a variety of features for which your organization will have to maintain a list of supported devices.
Application policy: An application policy can be based on blacklisting or whitelisting software along with the usage of containers in order to run third-party software. You will have to be very clear as to which software is permitted, and which is not. Setting an application policy can actually consume a huge amount of resources, but it stands at the center of your security policy. Only apps that provide reporting, auditing, and centralized management should be permitted.