Wednesday, October 17, 2012

BYOD Initiatives Could Be Risking Corporate Data

The Bring Your Own Device (BYOD) phenomenon is gaining momentum. A recent survey by CIO Magazine revealed that by the end of 2011, nearly half of all mobile devices used in the workplace were employee-owned.

The reason is simple - employees like to use their own stuff.  As consumers, they have access to some of the best devices — iPads, iPhones, Android phones, Android tablets — and all the apps that come with them. Employees don't want to use the clunky laptops and complex software of their employers. And they don't the hassle of carrying around two separate phones.

Rather than fight it, the smart companies are embracing the BYOD trend. Kraft, Whirlpool and IMB are just some of the larger names that have already implemented BYOD guidelines for their employees.

However, at the same time, there are some serious concerns attached to BYOD schemes, especially around the security of corporate data.

BYOD — A Security Nightmare

Without a proper BYOD policy in place, employers can easily lose control over how and where their corporate information is stored. 

Cloud computing technologies now make it easy for employees to self-select and install their own business apps, without the need to consult with IT. This presents a significant security concerns for employers, who have little insight into what apps are being used and whether they are secure enough to house confidential corporate information.

It’s not uncommon, for example, for business users to use personal cloud solutions, like Dropbox, iCloud and Google Drive, to store business files. These applications are relatively cheap, if not free, and provide convenient access to documents from multiple locations. However, because they are designed for personal use, these applications also lack the vigilant security protection needed for confidential corporate data; things like data encryption, managed user permissions and offline document control. 

The recent Dropbox security breach is a timely reminder of how easily information stored through these applications can be compromised.  It’s no surprise that in May 2012, IBM banned the use of Dropbox by all of its employees.

Lax Approach to BYOD Security Causes Major Headaches

Another concern around BYOD is the lax approach some employees take toward mobile device security.

According to a recent survey by Coalfire, 47 percent of respondents had no password protection on their mobile phone, even though 84 percent admitted to using this device for work.
What's more, 36 percent said they reused the same password, and 60 percent are still writing down passwords on a piece of paper!

Employees Unaware of Security Risks

The Coalfire survey also revealed that nearly half (49 percent) of respondents said their IT departments had not discussed mobile security or cyber-security with them. Only 25 percent reported a discussion with IT, suggesting that 75 percent were left to exercise their own judgment.

What’s more, 51 percent said their company did not have the ability to remotely wipe data from their mobile device if it was locked or stolen — a huge problem if the device is also not password protected.

A BYOD Policy is Essential for Every Workplace

In order to reduce BYOD security risks, employers should implement a BYOD policy and update their other existing security policies to include the use of personal devices. They should also consider implementing the following initiatives.

5 Ways to Boost BYOD Security

•    Arm your employees with knowledge: Educate employees on the security risks and best practices for using personal devices in the workplace

•    Power-on passwords: Enforce power-on passwords for all devices containing corporate data; a power-on password buys time to wipe a device in the event that it's lost or stolen. Companies should also extend policies around password-strength and password expiry for personal devices.

•    Monitor business app usage: Require employees to provide IT with a list of the business apps they are using, along with the account information (username and password). IT should have permission to monitor these apps, and check them before they are shut down permanently (especially after the employee leaves).

•    Stronger authentication: Enforce a stronger authentication process if users are allowed to store sensitive data or trade secrets on their smart phones or tablets.

•    Encryption or nothing: Make encryption the price of being allowed to keep corporate data on personal devices. This can be challenging in mobile security because there are different encryption options for various mobile platforms. Build and maintain a list of ‘approved’ devices that meet your security criteria.

While the BYOD phenomenon can’t realistically be eliminated, employers can learn to adapt. Part of this involves being vigilant in protecting their corporate information. Without the proper guidelines and employee education in place, they could stand to lose a whole lot more than they bargained for.

Content courtesy of Firmex Virtual Data Rooms

1 comment: