- Security TWENTY
- Women in Security Awards
A comment on BYOD from Righard Zwienenberg, Senior Research Fellow at ESET.
Should (B)ring (Y)our (O)wn (D)evice be reinterpreted as (B)ring (Y)our (O)wn (D)estruction? In the race to embrace and benefit from new technology, many organisations are blinded by the over-influencing financial considerations of believing they can save expenditure by having their employees or students use their own kit. In fact they might be putting their most valuable business assets, their confidential network and customer data, at risk.
BYOD, although providing the flexibility that many employees would like to see, brings with it a unique set of challenges that can be detrimental to an organisation of any size stemming from the extension of the network’s perimeter and a plethora of loose ends beyond the IT manager’s reach. Ignorance of security policies is another key factor. New research, commissioned by ESET, found that 38 per cent of Gen-Y professionals, those aged 18 to 30 years old, are unaware of, or don’t believe, their company has an IT security policy. The education of staff is key to securing any organisation as breaches are often the result of human error.
Although developing clear policies, providing security training to all BYOD-enabled employees and implementing password-protected auto-locking will help minimise security risks, it is impossible for a corporate security team to know about all operating systems, applications or firmware for all devices. Even if they had a great detail of information on each device, there may be an update or operating system that brings new features to the device, which is difficult to manage without expertise.
Improper management of the risks could be catastrophic. As a trend that will continue to grow throughout 2014, companies need to be aware of the risks associated with BYOD. Further findings from the research indicate that nearly half of generation Y employees use their work phone, device, computer or tablet for personal use. As such, it is almost impossible to prevent people from bringing devices exposed to malware into the workplace. USB-ports, mobile devices, memory cards and Bluetooth connection hubs are just a few devices that could cause potential harm if policies are not engineered around them.
An alternative to BYOD is the adoption of a CYOD, (C)hoose (Y)our (O)wn (D)evice, approach, which hands back at least some control to the IT security team. By allowing employees to only choose from a specified range of devices, it makes it easier for IT to secure and manage corporate data while providing the option for all parties to reap the benefits mobility and BYOD brings.
CYOD bridges the gap between employee choice and the control for IT managers in securing the network. Integrating a mobile device management system will ensure that unapproved devices cannot get access to the corporate network and thus prevent corporate data from being exposed. It seems clear that the optimal choice for businesses should be the CYOD model, a model that will minimise the potential risk to an acceptable level, while still maintaining the flexibility employees would like to see in the modern day workplace.