How Secure is Your BYOD Environment?
Bring your own device or BYOD is a revolutionary innovation in networking, and it is here to stay. It can broadly be defined as a program that provides device-independence to end-users. Due to the increased use of smartphones, organizations have inevitably implemented the BYOD concept in their networking strategies. According to Gartner, it is expected that by the end of 2016, four out of 10 organizations shall rely exclusively on BYOD, meaning that the organizations won’t provide any devices to their employees. Moreover, 85% of companies are expected to have some form of BYOD in place by 2020. Interestingly, small- and medium-sized businesses are taking advantage of this growing trend. In 2013, 62% of small- and medium-sized businesses had an official BYOD policy in place, as reported by iGR.
With the ability to access corporate resources from anywhere, at any time, BYOD brings an array of benefits to organizations. When employees use their own devices for personal and business use, productivity increases while employee attrition rate decreases. Businesses can transfer operational expenses to the user while optimizing revenues. At the same time, BYOD offers mobility to corporate resources. Overall, BYOD is a win-win situation for employees as well as businesses.
Along with the benefits come the risks. The versatility in models and operating systems makes it more difficult for IT staff to manage each device with a comprehensive policy. Most of the time, the employee owns and maintains the device, and the company has less control over it than if it were company-owned.
Data Management Issues
The past few years have seen rapid implementation of both BYOD and cloud networks in organizations of all sizes. With mobile and cloud data storage solutions, it has become difficult to manage and track data. New devices come with large storage capacities and have the ability to connect instantly to the internet and social networks. Huge volumes of data - over which organizations have little control - are stored on these devices. It is not easy to distinguish between work data and personal data. Organizations that do not have the infrastructure to monitor data movement rely on third-party solutions to do so.
Data Compliance Issues
With the increased incidence of identity theft and phishing scams everywhere, government authorities have come up with strict regulations for data management. The UK Data Protection Act of 1998 is an example. This Act regulates data collection and storage. While there is no such law in the United States, organizations have to be compliant with other regulations such as the PCI DSS (Payment Card Industry Data Security Standard), which is related to credit card transactions, and the Health Insurance Portability and Accountability Act (HIPAA), which offers privacy protection for personal health. When these data are stored and managed on an employee-owned device, complexity increases.
Employee-owned devices are vulnerable to malware and malicious apps. This is why some have labeled the phenomenon BYOM (Bring Your Own Malware). According to Lookout, Google Store contained 32 apps that were infected with a malicious program called BadNews. Interestingly, these apps were downloaded 9 million times in 2013. Bit9 reports that 100,000 apps on the Android store are suspicious. Today, hackers are finding innovative ways to access information on a device. According to researchers at The University of Alabama at Birmingham (UAB), hackers even use music to trigger mobile malware in a device.
Another concern for businesses is the unauthorized access to corporate data via mobile apps. When employees download malicious apps on their cell phones, they give outsiders unauthorized access to critical corporate data. It is a headache to impose security software and add updates and patches on these devices. Employees can easily uninstall the software if they feel that these apps are impacting device performance and degrading the end-user experience.
Lost or Stolen Devices
Owing to their small form and also because they are always carried around by users, mobile devices can easily be lost.
According to IDG research, more than 3 million handsets were stolen in 2013. Out of these devices, 44% were left in a public place. The BBC reports that 314 mobile devices are stolen in London every day. When devices that are registered in a BYOD network are lost or stolen, sensitive corporate data can fall into the hands of an outsider.
Another important way in which corporate data become compromised is through disgruntled or fired employees. Employees may retain a certain amount of data even after they leave an organization. Typically, a fired employee does not inform the HR department about data residing on his smartphone, and this information can easily be leaked to a rival organization. Companies should have a written BYOD policy ensuring that employees do not retain data owned by the company when they leave an organization.
Protecting smartphones from hacking attacks is a big challenge for organizations. According to CBS News, smartphones have recently become the prime targets for hackers. With password-cracking software available for download on the internet, anyone can purchase a password-hacking tool and hack mobile devices. When a device is hacked, it can be used to connect to a corporate network to access business-critical information.
How Can You Secure Your BYOD Environment?
Firstly, organizations should not implement a BYOD policy unless they are fully prepared to handle it. By weighing drawbacks and benefits along with compliance issues, organizations can prepare a written BYOD policy that addresses BYOD security issues comprehensively. This policy should include compliance aspects such as how and when corporate data should be deleted from a device, what type of data can be accessed through a personal device, how data are moved between personal devices and business servers, and what type of encryption should be in force.
Business data and personal data have to be differentiated, and access to corporate data must be privilege-based. Most importantly, employees need to be educated about their responsibilities, and instructed on safe practices for smartphone use within corporate networks. Without proper co-operation from employees, it is not easy to manage a BYOD environment. By performing an audit on access to personal data and the types of devices used, organizations can add an extra layer of security.
Secondly, the BYOD policy should provide clear password specifications for employees. The password should have a minimum length and should be locked after a time lapse. Based on the number of specified failed password attempts, the device should be reset to factory settings. It should be possible to lock the device remotely, change password, or wipe off its entire content with ease.
Thirdly, businesses need a comprehensive mobile device management suite. With an array of versatile mobile devices, hybrid networks and multiple business procedures, it is not easy for businesses to manually manage and monitor each and every device within the network. A powerful mobile device management (MDM) solution provides a centralized dashboard to manage and monitor the entire range of devices effectively.
Remotely Control Devices
With a comprehensive MDM solution, you can remotely monitor and manage files on your device from any browser. It is very easy to drag and drop files between a device and your browser. From a centralized location, you can remotely edit contacts and take control of the device’s camera. When a device is stolen, you can use the device camera to take a picture of the thief, and submit it to the relevant authorities before remotely wiping the data from the device.
In a BYOD environment, it is very important to have a strong password policy. However, it is a tedious task to enforce this policy on multiple devices manually. With an MDM program, you can automatically apply password policies on multiple devices, saving time. You can enforce password specifications such as the length of the password, as well as number of failed attempts and time lapse before auto-lock. When a device is lost or stolen, the password can be changed remotely, data and settings can be remotely wiped off, and the device can be reset to factory settings. The device can be controlled even through an SMS.
MDM solutions allow you to remotely monitor apps installed on any device, and easily remove rogue applications. With an app whitelist, you can allow specific apps to be installed on a device. You can create a blacklist of apps for the entire organization or for a specific group of employees. When a blacklisted app is installed, IT administrators and the user are immediately notified; an instant alert is generated along with the details of the devices involved.
Find & Track Devices
With a comprehensive MDM solution, the location of each device can be tracked and a complete location history created. While this feature facilitates staff routing and improves customer service, it also allows businesses to keep track of device location and be in compliance with government regulations. Location history can be enabled for a group, department or role, and the time periods during which records should be logged can be specified as well.
The mix of BYOD and cloud networks creates a high level of complexity for IT staff. However, by means of a centralized dashboard an MDM solution makes it easy to manage thousands of mobile devices. By grouping devices according to a department, role or job function, security settings can be customized according to group policies. WiFi network settings can be easily deployed to multiple devices. Device and SIM card details can be stored. Using the MDM program, email settings can be remotely configured.
What is BYOD - Conclusion
BYOD is here to stay. For a secure BYOD environment, IT and security staff must work together to implement advanced security solutions such as sandbox apps and data containerization. Employees have a key role to play here. Starting from the creation of a BYOD policy to its enforcement and execution with proper support, every step has to be planned carefully. With a sound and security-focused BYOD policy in place, businesses can mitigate the risks of BYOD while taking full advantage of its benefits.
Parallels Remote Application Server is a complete software solution for your company’s BYOD policy. Password security, track and locate are just a few of the advanced features of this solution. Parallels Remote Application Server can secure your corporate data and fully support your remote workforce using their own devices.
What is BYOD | BYOD/BYOA: A Growing, Applicable Trend | inc.com
What is BYOD | BYOD: an emerging market trend in more ways than one | us.logicalis.com
What is BYOD | People Are Willing To Go To Extreme Lengths To Retrieve Their Stolen Smartphones | Business Insider
What is BYOD | 314 mobile phones 'stolen in London every day' | bbc.com
What is BYOD | Payment Card Industry Data Security Standard | wikipedia.org
What is BYOD | BYOD: Many Call It Bring Your Own Malware (BYOM) | blogs.cisco.com
What is BYOD | BYOD Security: 5 Risk Prevention Strategies | smallbusiness.foxbusiness.com