How worried should you be about BYOD security?
Businesses are increasingly allowing employees to choose their own devices or use personal kit to access corporate networks.
This brings a number of support challenges, not least in keeping corporate data safe. However, a recent study by Gartner shows that people are paying little regard to security when using their own devices for work.
According to the results, although a quarter of business users in the US owned up to having a security issue with their private device last year, only 27 percent of those felt it worth reporting to their employer.
Meike Escherich, principal research analyst at Gartner says, "The threat of cyber attacks on mobile devices is increasing and can result in data loss, security breaches and compliance/regulatory violations. One of the biggest challenges for IT leaders is making sure that their users fully understand the implications of faulty mobile security practices and to get users and management to adhere to essential steps which secure their mobile devices. For many organizations, overcoming BYOD security challenges is a full-time task, with a host of operational issues".
Using a personal device for work-related tasks carries an inherent risk of security breaches. That leaves IT departments struggling to come up with the right mix of defenses to balance protection, compliance and usability.
California recently attempted to legislate for a "kill switch" that would allow a phone to be remotely shut down and the hardware rendered unusable. This failed to make it into law, but Jeff Rubin, VP of Strategy at security specialist Beachhead Solutions says, "A company's BYOD policy probably gets a little murkier with a hardware kill switch. Does the business control the kill switch? Does the employee? It would be harder to see the company wrestling control of it, since users would be reluctant to cede that power to something that they own. So, the only reasonable answer for ownership of the hardware kill switch in a BYOD setting is the user themselves. The company's option, though, could be to get that data on employee's device securely containerized, so that the company may can be able to only kill those applications that contain corporate data. In this case, the company still owns a kill switch (for the subset of applications it cares about), it's just not a switch that determines the fate of the whole phone -- that decision can be left to the employee".
Ryan Kalember, the chief product officer of WatchDox, a provider of secure mobile productivity and collaboration solutions is positive about the kill switch idea, "Generally speaking, enterprises worry about their mobile users' email, calendars, contacts and files -- proper enterprise mobility solutions will be able to keep that data synced with a server so that IT can wipe it from the device without touching the personal content or losing anything important. In that sense, a device kill switch provides a nice fail safe for the corporate mobility tools, as people are probably more likely to report a stolen device to the police before they inform their IT department".
The idea of having separate personal and company areas on the same device is common to many BYOD protection solutions. Omer Faiyaz CEO of device management specialist Remo Software says that, "A segment on the device can be used to separate company and personal data. It's also a good idea to use features like Remo MORE's family app store to ensure that only approved apps can be installed".
We've seen hardware manufacturers taking the threat of lost mobile devices more seriously too with this week's announcement by SanDisk of a self-encrypting drive. This protects against data loss from lost or stolen devices and allows for central management by the IT department.
There are plenty of solutions available to make BYOD work in a safe and secure way, but it seems that businesses need to take the threat seriously and put appropriate policies and tools in place.
Gartner's Ms Escherich concludes that currently, "...BYOD laptop, smartphone and tablet security policies are still incomplete in many companies, and contain gaps and other inconsistencies that don't measure up to business obligations. Many enterprises (especially in the smaller and midsize sector) lack the proper organizational structures to create these policies and must reorganize to provide the necessary governance for a successful mobility implementation".
If this has sparked your interest BYOD security threats and trends will be discussed at the Gartner Security & Risk Management Summit which takes place on June 23-26 in National Harbor, Maryland.