Loss. Theft. Data leak. Device hack. Mobile malware. Communication security. These are just some of the major security concerns companies need to deal with when facing the hardly escapable reality of BYOD (bring your own device), which is otherwise great in terms of productivity and speed of work.
The gains in productivity come with many risks, as often employees consider these devices as job perks. This, they feel, entitles them to use the same device for both work and personal stuff and to install anything they want, including games and other apps. The more fun it gets, the higher the risk of a security compromise becomes. And this is just one aspect...
First and foremost, educate the user
Since the first weak link in the chain is usually the user, every organization must take care of that via regular briefings and training. It's easy to become ignorant without someone reminding you of the dangers you can't see. And there's always someone waiting for you to lower your guard.
The biggest risk is at the user level, and that should be the heart of any mobile device management strategy.
There are significant challenges to protecting mobile devices, even in a well-managed, one-device system. For one thing, smartphones and tablets are portable, hence are very likely to be stolen or lost.
According to Lookout Mobile Security, 1 in 10 smartphone users in the US are victims of phone theft. This is a pretty high risk and it doesn't even include device loss!
And the Consumer Reports National Research Center reported that 2.1 million Americans had their phones stolen in 2015, while another 3.1 million smartphones were lost, according to a nationally representative survey. This is like the population of Norway!
Often, people aren't even sure if their phone was stolen or lost. So, instead of reporting it and having it remotely wiped, they keep on thinking and searching in hopes to find it. This can give a significant window for data thieves to work with a stolen phone.
VPN could be criminals' door to your business
What usually sounds like a good idea for securing corporate mobile devices is using them within a virtual private network (VPN). Yes, this can protect against man-in-the-middle attacks, for example, but can also offer a new, possibly unprotected avenue should someone be able to access an unlocked device.
Users often have their passwords set as remembered on their devices, meaning that if someone obtains unfettered access to the device, they may very well have access to the environment itself. A mobile device is essentially a small computer and can do much more than simply check your email these days.
With or without BYOD, get an MDM
Today, with so much business getting done via smartphones, tablets, and laptops, it is a must for every serious organization to deploy a mobile device management (MDM) system. You can't just hope your employees will never lose their devices or have them stolen, can you? And you can't just ignore malware and espionage, right?
It really doesn't matter if your company allows BOYD or not. Every device is a risk and that needs to be addressed.
Researching MDM solutions takes time and effort, just like deciding which devices the organization is willing to support and determining exactly how much freedom to allow the individual user. But still, it's a job that needs to be done ASAP.
From a security and management standpoint, most IT professionals will agree that a single-device ecosystem with strong MDM would be ideal. The more devices added, the more updates to keep track of, the more application versions you need to test and keep on your company store, and the more your support team needs to keep abreast of to support their employees.
BYOD was thought to be a cost-saving measure, taking the onus off the employer supplying the device. The hidden costs of revising policy, implementing mobile device management solutions compatible with multiple devices (a problem that becomes even more difficult if tablets and laptops are included), and support costs for help desk as each new device requires documentation and training, are enough that any hardware savings might be fully negated.
Regardless of whether an organization is doing BYOD or not, there are several guidelines for mobile device security that IT professionals can agree upon.
How to tackle the risks of BYOD
- Mobile devices need antimalware software. If your organization allows or uses even one application that is downloaded from an outside source, then an anti-malware solution should be added to your repertoire.
- Secure mobile communications. All routinely used communication on your mobile device should be secured by some form of encryption. VPNs should be used for communication between device and company servers.
- Strong authentication/better passwords. Many new devices provide new authentication methods such as fingerprint scanners or facial recognition. These security methods should be implemented where available. Passwords need to be longer and stronger. Set minimum complexity requirements and communicate them clearly to users. Separate passwords should be used for applications touching company data or network, so that possession of the phone and cracking the device password does not give full network/data access.
- Limit supported devices. If implementing BYOD, communicate a managed list of acceptable devices. As stated, the more devices listed, the more your organization has to support, whether for troubleshooting, security concerns, compatible application versions, etc.
- Control third-party software. Manage and review a list of applications that your organization deems safe. Ideally, provide your own company store with applications deemed safe. Make sure that if employees require a new application, that they submit it to IT for review.
- Implement an MDM system. Whether using BYOD or a single device system, policy needs to be managed and enforced by a strong mobile device management system. The above considerations can almost all be tackled by a good MDM.
BYOD offers significant challenges to IT and may bring more trouble than benefits. You may not really be saving money by implementing BYOD. If strong policies are not enforced by a good mobile device management system, you may be opening yourself to a great deal of security risks. Remember that a limited scope of device support will save your organization a great deal in terms of support costs, ease of implementation, and security. If implementing BYOD, bear in mind the adage “less is more”.
Most importantly, education and information are key to any strategy. Your policies and the reasons for any decisions regarding accepted or denied devices/applications should be clearly communicated. This will improve the trust between employees and employers, and help ensure that device policies will not be circumvented.
If you need to learn more about MDM and securing device environments, make sure you take a look at our Secure Phone Administration System (SAS), which we developed specifically for the remote management and control of our Secure Phone line of encrypted communication smartphones.