Bring Your Own Device (BYOD) initially started as a trend by employees due to the fact that they are more familiar with their own devices and applications; what’s more, most organizations are behind on technology due to lack of funding or resources. Employees found that the same work could potentially be completed faster and more efficiently by using personal devices instead of the outdated and severely weathered equipment issued by their employer. However, this is more than merely using their own devices; it’s about ease of access and having the ability to work from any location—not just from the office.
It’s the employees’ personal devices and their knowledge of the equipment that allows them to be away from life in a noisy cube farm and still be able to perform their assigned duties. The daily struggle to constantly combat against their neighbor’s keyboard echoes and having to apologize to prospective or current customers for the background noise consisting of the latest joke or other charades is more than enough reason to want to work remotely. But is ease of access worth the inevitable security risks?
It’s understandable that employers find it difficult to keep up with the latest technology let alone the technological demands from its employees; these things cost money. However, proposing what some consider a “simple” solution presents dangers that extend way beyond dropping a cell phone in the toilet. These dangers, or risks, include a data breach or data leaks. “Bring in your own device and have the ability to work from anywhere.” Sounds simple enough, right? “My personal laptop is so much better than this old, clunky laptop that my company allows me to use, and I can do more work from my own laptop at home.” I can’t tell you how many times I’ve heard that exact statement, and my response is always the same: “I apologize, but we can’t take the risk of having you connect your device to our network because we don’t know if it’s secure or not.” But with a BYOD plan, it’s easy, right? Unfortunately, it’s not that simple.
BYOD is an acronym that makes every IT Security professional cringe. This isn’t due to the extra work associated with successfully implementing a BYOD solution. Instead, the thought of every employee being able to use their own devices (cell phones, laptops, etc.) on an organization’s internal network is absolutely terrifying due to numerous security risks.
The transition to personal devices involves a lot more than simply giving the go ahead. There are several security concerns that companies must consider:
- What will the anti-virus solution be, and how will it be deployed and managed for mobile devices?
- What regulations do we need to adhere to for BYOD in order to maintain a compliant status?
- How will we regulate policies and access control to ensure that our data is safe?
- How can we ensure confidentiality, integrity and availability of company data?
- Will there be any accountability, and if so, how do we enforce associated procedures?
- How can we know for certain that our data is and will continue to be safe?
That is only a short list of security concerns, and nothing on that list even mentions asset management. Asset management utilities are a popular solution specifically for mobile devices, but they aren’t able to identify or discover malicious activity or any other security-related issues. Moreover, implementing that type of solution will mean that employees would have to allow their employers the ability to access their personal devices. This reality does not sit well with most employees as personal information resides on these devices. Each device would also have to be checked for malicious software prior to implementation. There is also the issue of compatibility; each device (since they will not all be the same) may not have the ability to interact with this specific application and so on.
It is almost certain that organizations will make the switch to BYOD in the foreseeable future. When that switch does happen, employees can facilitate a seamless execution by being more aware of what they access and what information they could potentially be sharing. Employers, on the other hand, need to ensure that a structured plan is put into effect prior to any action. The application of a solid asset management solution, policy enforcement, security monitoring and a security awareness plan is necessary. A network is only secure as its weakest point, and we, as employees, need to do our part in following security measures and remaining aware of what is taking place on our devices.
Guest Author: Marty Coolidge