BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
Technology companies need to address the bring your own device (BYOD) trend with an evolving but clear mobile device security policy, experts say.
According to a mobile security survey of more than 400 IT and security professionals conducted by SearchSecurity.com in the first quarter of the year, 64% of companies have a written mobile device security policy. CISOs at many companies have lagged in developing policies, but those still without a policy need to put one together as soon as possible, experts say.
Mobile security survey
Survey results: Audio slideshow of the SearchSecurity.com 2012 enterprise mobile security survey.
"BYOD is happening; it just may not be documented or supported," said Chenxi Wang, vice president and principal analyst at Forrester Research Inc.
With the advent of such mobile devices as smartphones, laptop computers and tablets, the popularity of BYOD has risen. Employees became accustomed to having the latest technology in their personal lives and have brought that expectation to work. Younger workers have grown up using the technology and expect to use it at work, said Pete Lindstrom, vice president of research at information security analyst firm Spire Security.
Some firms have chosen to ignore the growing number of employee-owned devices appearing in the workplace, but other companies have responded to the consumerization of IT trend through formal BYOD policies. Whether a company's security team has a policy in place or is thinking about creating one, they should be aware that the policy will need to be reevaluated frequently, said Darrin Reynolds, vice president of information security at Diversified Agency Services, a division of Omnicom Group Inc.
"We're too new at this to fully digest it," Reynolds said, adding that the technology surrounding mobile devices is both changing and still being realized.
BYOD is happening; it just may not be documented or supported.
Chenxi Wang, vice president and principal analyst, Forrester Research Inc.
SearchSecurity.com's survey also found that 36% of companies require users to sign a legal document giving the firm limited control over device data. Forrester Research's Wang doesn't believe this is a growing trend. Companies that have liability concerns might require employees to sign a legal document, but most companies who have employees sign a policy don't need to do both, she said.
The survey found that firms rarely require that device data be backed up. Eighty-nine percent of companies have no backup requirement for personal devices, and 56% have no backup requirement for company-issued devices. Companies often recommend that employees back up personal devices but don't require it, Wang said. She thinks there is another reason why backup is unpopular for mobile devices: "Somehow [they have] a transient nature in people's minds."
Technology users don't think about having to do backups because they can get another device very easily. In fact, many users replace their devices every two years, Wang said. With the emergence of iPads and other tablet devices, however, she anticipates that this attitude will change as users begin to create more content on their mobile devices.
How to clear the BYOD security policy hurdle
Spire Security's Lindstrom believes that companies should treat their policy as a living document that can be changed to address emerging issues and trends. "You need a policy that is live enough so that you're not going to get in the way of innovation."
For now, however, policy implementation should follow certain steps, Diversified Agency's Reynolds said. Before they jump into policy creation, CISOs can oversee an assessment to understand the risk and identify the issues that need to be addressed. From there, policy creators can decide which policies need to be in place and how they can be enforced. The final step before implementation is to communicate the policy effectively and get upper management support, he said, adding that when people know what's coming and the bosses are on board, implementation will be much easier.
While a completed mobile device security policy might be different for each company, they all should address certain issues, Reynolds said. A good policy speaks to issues of theft and loss, safeguards and backup concerning both personal and company-owned mobile devices. Most important, he said, is that the message is memorable. If it is, employees will alter their behavior and embrace safer practices.
A mobile device policy also should address any financial or ownership considerations, particularly any questions of data ownership, Lindstrom said.
Once a policy is in place, companies must decide on what they will do to enforce the rule, or if they will at all, Forrester's Wang said. Because enforcement is part of the still-developing BYOD phenomenon, it can be difficult for companies to decide how to do it and how to pay for it. Enforcement, like the policy itself, must be fluid.
"You need to look for a way to embrace new technology with new controls," said Lindstrom.