Employees accessing corporate work on their mobile devices is a widely accepted and continually growing trend called bring your own device (BYOD). According to a Gartner Inc. study, "Seventy percent of mobile professionals will conduct their work on personal smart devices by 2018." While strengthening an organization's mobile security policy is important, it is only one of several areas of concern in bring your own device security.
People hunched over a handheld device with a myopic stare are a common sight today. Whether on a smartphone, tablet or laptop, people are either communicating with friends and family or doing business they would otherwise do in the office, all on the same device.
If BYOD is permitted by an enterprise, there should be a strategy implemented that focuses on four major areas: policy, compliance, mobile device management and security.
Since BYOD mobile devices can contain both personal and enterprise data, a mobile security policy should define a minimum configuration standard that requires malware detection and prevention software, firewall software, two-factor authentication for access to the enterprise environment, GPS location services, separate containers for personal and enterprise data, and strong password controls.
The policy should also require the BYOD user to sign an acceptable use agreement (AUA). The AUA -- typically signed by all employees on an annual basis -- states an agreement to abide by the company's information security and privacy policies and acknowledges that company-issued devices are used exclusively for company use. The AUA also contains a user's agreement to relinquish their right to privacy since the device may require monitoring typically performed on company-issued devices. The BYOD user should acknowledge and agree that personal devices that contain both user and enterprise data could have personal data deleted in the event the device is stolen. This will limit the company's liability. It is the users' responsibility to ensure their personal data is regularly backed up as a contingency.
Strong bring your own device security management includes:
- Registration: All BYOD mobile devices need to be registered and inventoried stating location, owner, device type and model
- Acceptable use agreement: The AUA must be signed by each BYOD user who abide by the provisions listed
- Location services: All BYOD devices must have location services active in the event of loss or theft
- Baseline: A template that defines baseline security needs to be established for each mobile device for it to be eligible for BYOD
- Malware and antivirus protection: All BYOD devices need to have malware and antivirus protection that is active, current, non-modifiable by the end user and monitored for compliance
- Backup: All BYOD devices must have a remote backup of enterprise data and must be monitored for compliance at least once a week.
Enterprise devices that contain sensitive data are subject to regulatory and other compliance requirements. This data is no less sensitive if it resides on a user's personal mobile device. Those devices should be subject to the same compliance requirements as company-issued devices. It is possible that specific regulations and compliance mandates might have issues with respective data residing on the same device with end-user personal data. An assessment needs to be performed before BYOD use is approved for a user.
A major compliance issue relates to software licensing. BYOD users need to understand they may not be permitted to download mobile apps that go against the established device baseline or that can adversely affect the integrity or security of enterprise data. This needs to be vetted and communicated with each BYOD user.
Mobile device management
Mobile device management (MDM) systems provide the ability to secure, monitor, manage and support mobile devices. This includes all types of mobile devices, such as smartphones, tablets and notebook computers. MDM allows security teams to manage tracking, security and mobile applications remotely from a management console on each device for all BYOD devices.
MDM also allows the company to track the location and travel activity of the device. It can enforce password policies, date and time restrictions, lock and unlock the BYOD device, and send kill switches to erase corporate -- and possibly personal -- data. MDM can also block or allow the use of BYOD mobile apps. It can place date and time restrictions, including whether data can be uploaded or downloaded in using the mobile app.
BYOD employees need to understand the capabilities of MDM and agree to its possible use on their device. While this may seem to be an invasion of privacy, users should remember that BYOD is not mandatory.
Bring your own device security
BYOD security issues can be managed by using MDM features or ActiveSync, which can send a kill switch to wipe the entire contents of the BYOD mobile device. Without MDM, tracking, password enforcement, app control and their usage, and location GPS services can be mandated by policy, but not enforced.
Smartphones have built-in security features through vendor services. However, the enterprise may not have control over those features since the BYOD mobile device is under contract with the user.
The importance of bring your own device security
The convenience of BYOD has its advantages -- users only have to worry about one device instead of two, for instance -- but enterprises need to consider formalizing a strong and comprehensive bring your own device security policy that is understood and agreed upon by all BYOD users.
Additionally, the enterprise needs to consider insurance coverage over the BYOD device. This will be a challenge since the insurance carrier may require minimum baseline security, monitoring and enforcement. There may be tax implications with BYOD that enterprises should also consider.
BYOD is dependent on business risk but is gaining momentum and popularity. The enterprise needs to seriously consider the bring your own device security implications and, before permitting this practice, weigh user convenience, company liability, user understanding of signing the AUA, overall cost, regulatory risks and compliance, information security, and, of course, a strong mobile security policy.
About the author:
Miguel (Mike) O. Villegas is vice president for K3DES LLC, a payment and technology-consulting firm. Villegas has been a chief information security officer for a large online retailer, partner for a "Big Four" consulting firm, VP of IT Risk Management, IT Audit Director for large commercial banks and owner of an information security professionals firm over a span of 30 years.
Find out more about BYOD security strategies and balancing the risks with the rewards
Learn how selective wipe and enterprise wipe technology can help erase corporate data on lost devices without compromising personal data
Check out what you need to know about wearables security as the next wave of BYOD concerns