Mobile devices, such as smartphones and tablets, do not contain the security features businesses need, since the manufacturers market to the average consumer. Where RIM designed Blackberry for easy integration into business solutions, Apple designed their products to excite teenagers.
Now, because of their ease of use and availability, these mobile devices are being brought into the enterprise. Many companies believe that because users have these devices, they will increase their productivity by using them at home and work. Small businesses also believe allowing users to use their own devices decreases hardware costs. Nevertheless, most companies that allow BYOD underestimate the costs, configurations and time to efficiently and securely implement a BYOD policy.
In fact, most small to mid-sized businesses do nothing other than configure access to mail, calendars and maybe an incidental company application when adding personal devices to the network. This quick and simple configuration may allow basic communications to the company systems, but it causes security problems, which can end up costing the company, its partners and its clients much more in the long run.
The most prevalent security risk is lost or stolen devices or devices dropped off for service. These devices are easily accessed, making personal and business data available to anyone and everyone. Applications installed on the device can be run by anyone with the phone, since personal devices don’t usually have identity-related security benefits. As a result, all personal and financial information and business applications is accessible.
By default these devices are usually configured to allow communications to all Wi-Fi and Bluetooth devices. Access to network infrastructures with no business security configurations make it easy for systems to be hijacked via hackers eavesdropping between two parties or rogue devices that have gained unauthorized access to business networks.
Nevertheless, access through secure networks can also be a security risk because most of these devices do not support antivirus software. In the past 12 months, mobile viruses and malicious applications have increased more than 400 percent. On top of all these risks, standard devices do not allow or require data encryption. So, once devices are breached, all data is accessible.
While new versions of mobile devices and mobile device management solutions promise to increase integration into company networks, solutions currently fall short of this goal. Minimal Do’s and Don’ts for BYOD environments include:
- Do require and maintain complex passwords to access the devices.
- Do create a separate encrypted, secure and segmented container for business applications and data.
- Do not allow the same email application to access both personal and business emails. Corruption and infection of the application can cause infection to both systems.
- Do allow access to only applications and data necessary.
- Do have a registration and provisioning system for the devices that allows for monitoring, remote application installation, locating and wiping of company data. Use the system to remotely install all company applications as well as mobile device systems updates, patches and security fixes.
- Do install antivirus and malicious application scanning solutions.
- Do disable the ability to access public Wi-Fi networks. Allow only known secure networks to include the user’s home network and the company network.
- Do require all maintenance, updates and disposal of devices be done by the company or authorized vendors who follow specific security requirements.
- Don’t allow enterprise data to exist on a personal device, instead companies should use web applications that run on their servers and only display information on their phones.
- Do educate all users on the secure appropriate use of mobile devices. Once trained, require users to sign an appropriate usage policy, which provides the company the ability to manage, access and delete devices as required to protect corporate assets.
Using a combination of policies, access controls and the mobile device management software, the confidentiality, integrity and accessibility of proprietary information can be kept intact.
Written by Jerry Irvine
Jerry Irvine, CIO of Prescient Solutions, a Chicago-based IT outsourcer, provides strategic direction for businesses and government entities, overseeing product innovation and implementation of the highest quality of service. In 2008, Irvine was selected to join the National Cyber Security Task Force, a joint operation between the Department of Homeland Security and the U.S. Chamber of Commerce. His expertise on cyber security has been featured in a number of national and industry publications, including The New York Times, CNBC and Wired magazine. You can connect with Jerry on Twitter and LinkedIn.