Bring your own device
security and risk in mobile device programs
With mobile devices increasingly embedded into all parts of our personal lives, organizations are finding that their employees increasingly want to use their own personal mobile devices to conduct work (often alongside corporate-provided devices), and many are reaching out to corporate IT for support.
In the current economic environment, companies are demanding that employees be more productive: having a robust mobile program that allows personal devices to be used safely in a work capacity can raise employee productivity and be a significant competitive advantage. It can even yield higher recruiting acceptance rates.
An employee IT ownership model, typically called bring your own device (BYOD), presents an attractive option to organizations. BYOD significantly impacts the traditional security model of protecting the perimeter of the IT organization by blurring the definition of that perimeter, both in terms of physical location and in asset ownership.
With personal devices now being used to access corporate email, calendars, applications and data, many organizations are struggling with how to fully define the impact to their security posture and establish acceptable procedures and support models that balance both their employees’ needs and their security concerns.
We have divided the risk landscape into three areas:
1. Securing mobile devices
Security risk expansion happens both on the basis of a more diverse device portfolio, and as a function of the number of devices. As a BYOD deployment invariably will include a wider range of device types, the same security controls that before were applied to a singular device type now have to be applied to a multitude of hardware and operating system combinations, often with differing levels of effectiveness.
In addition, end users often have more than one device and would like to connect multiple devices to the organization’s infrastructure, which increases the net number of devices that must be secured. As a result, basic security controls may not be consistently and effectively implemented across the collection of devices.
When it comes to mobile devices, well-developed programs should be based on an understanding of different user types and a clearly defined set of user segments. Risks relating to securing mobile devices are categorized into five basic concerns:
- Lost and stolen devices
- Physical access
- The role of end user device ownership
- Always on with increased data access
- Lack of awareness
2. Addressing app risk
Apps have largely driven the smartphone revolution and have made it as significant and as far-reaching as it is today. While apps demonstrate utility that is seemingly bound only by developer imagination, it also increases the risk of supporting BYOD devices in a corporate environment.
As the organization enables employees to bring their own, the need for using the same devices to access work-related data inevitably presents itself. This presents mainly two security risks:
- Malicious apps (malware): the increase in the number of apps on the device increases the likelihood that some may contain malicious code or security holes
- App vulnerabilities: apps developed or deployed by the organization to enable access to corporate data may contain security weaknesses
3. Managing the mobile environment
BYOD increases the organization’s management effort, both for maintaining an accurate inventory of the mobile devices, keeping mobile operating systems’ software up-to-date and supporting the increasing number of device types.
Device evolution and turnover is two to three years in the consumer mobile space, versus the usual four- to six-year hardware cycle in traditional PC asset inventory. Due to the accelerated device turnover and high rate of new user adoption, organizations often struggle with maintaining an accurate inventory of enrolled mobile devices.
Additionally, within the hardware life cycle, there are often multiple upgrades to the operating system, which can be customized by individual cellular carriers at their own discretion and pace, and initiated by the end users. While not a direct security risk, unmanaged devices form a hidden security problem as they may lack corporate security controls and patch management.
Addressing governance and compliance issues
Using a personal device for work will implicate employee labor law protections in Europe and other data privacy-focused regions, and a range of legal and regulatory risks will be amplified when deploying a BYOD program.
These issues include:
- Privacy governance
- Data protection
- Right to be forgotten and erasure
- Monitoring (privacy at work)
- Breach investigation and notification
- Data ownership and recovery
By leveraging industry leading practices, integrating a thoughtful BYOD policy and adopting strategies that are flexible and scalable, organizations will be better equipped to deal with incoming (sometimes unforeseen) challenges to their security infrastructure posed by the use of employees’ own devices.
Download the full report to discover more about the main risks of BYOD and potential steps to address these risks based on your organization’s current and most urgent challenges. We also detail different geographical regulatory and legal considerations that will affect your BYOD strategy.
Challenges or barriers facing BYOD deployment
Source: Forrester, Key strategies to capture and measure the value of consumerization of IT, July 2012×