Ovum recently published a report stating that the role of the IT department is being reduced, with control being handed over to employees who are bringing consumer devices to work.
‘Bring Your Own Device’ (BYOD) is a top trend within today’s workplace, with a growing number of organisations now welcoming employee-purchased consumer devices – laptops, smartphones, tablets and notebooks – into the enterprise.
For the most part, these devices can access corporate networks so long as they adhere to a usage agreement established by the organisation. Ovum analyst Adrian Drury recently stated that “employees’ own devices are used in parallel to the desktops and smartphones that are already given to them by the company” , signalling that employees increasingly expect to be able to use their own devices for work purposes.
Although BYOD policies do include laptops, most of the influx in the enterprise is of consumer mobile devices. So should we be concerned? The reality is that most mobile devices require less management than traditional PCs, and – particularly if a company’s services are available over the Web – they can be efficiently applied to mobile devices.
Mobile devices generally have inbuilt encryption, and don’t need as much malware or data-leakage protection; they also don’t require port control. Mobile devices that have baseband communication – smartphones and many tablets or netbooks – also have inbuilt tracking to locate a lost or stolen device, and erase data when lost.
Policy management may also be easier, since many mobile devices have ways to set password policies, control what apps are being installed, and supply network credentials and other security parameters for devices.
Despite the fact that mobile devices are easier to secure than many other devices, there is no doubt that with so many new and unknown devices accessing the corporate network, the infrastructure needs to be set up in such a way that all devices can be supported and secured.
There are various ways of achieving this, and first and foremost, the basic infrastructure needs to be reinforced and improved with a VPN and authentication servers. However a VPN with password protection is not enough, and organisations must be able to properly identify and authenticate mobile devices that interact or gain access to the corporate environment.
Authentication doesn’t have to mean investing in potentially costly security hardware such as tokens; in fact, by deploying soft tokens or digital certificates to mobile devices, organisations can benefit from a low cost option and ease of use for end users. This option also reduces obstacles that can make traditional enterprise-wide deployment of physical one-time-passcode (OTP) tokens impractical.
The mobile device itself can also be used as a smartcard, as a means of providing a flexible, convenient and low cost method of authentication. In fact, with emerging technologies such as Near Field Communication (NFC), it looks as though mobile devices will become ever more widely used as identity based authenticators.
There are other issues to consider around BYOD, such as data segregation – managing and organising both personal and corporate data and information. After all, do companies really want to back up employees’ holiday photos?
Since there is clearly a blurring of personal versus corporate use of mobile devices, organisations should consider a comprehensive Acceptable Use Agreement involving the CISO, as well as HR and legal departments, to ensure that everyone is singing from the same hymn sheet.
BYOD, the consumerisation of IT, is one of the biggest trends in the workplace today, and with the continued growth of mobile devices and tablets, it’s wise for IT administrators and CISOs to embrace the change rather than take a stand against it. Ultimately, there are many benefits to embracing BYOD, such as, by purchasing fewer devices for employees, you’re freeing up money to spend on improving the infrastructure.
However in making these improvements, security needs to be a top priority, as it’s crucial to keep on top of whom and what is accessing the corporate network, at all times. The only way businesses can mitigate the risk of outside intrusion is to buff up the basic infrastructure with appropriate layers of security; as well as educate employees to help them understand why there is a corporate policy in place, with clearly set guidelines around what they can do to protect their own devices.