Mobile BYOD Security Can’t Be Ignored

Recent research from BT into BYOD policies revealed that although over four in five companies say they already allow BYOD or will do within the next 24 months, there are still significant security concerns, placing BYOD in the same threat league as cyber-security when it comes to corporate network risk.

It is one thing for employees to want to access organisational resources from within the corporate infrastructure – the real problems come when it comes to integrating a BYOD policy with a cloud-based infrastructure. Given that both cloud and BYOD are here to stay, is it time for CIOs to start bringing cloud-based applications and BYOD together?

Although there is a risk looking at implementing both cloud and BYOD at the same time, it could also be argued that implementing an effective BYOD strategy without a cloud-based architecture is too costly. It seems that a truly effective BYOD model needs to be tightly integrated with a cloud-based architecture.

Of course these cloud solutions differ from the lighter cloud model where users interact with web based applications such as Google Docs to a virtual desktop model where they login to a portal and all share ‘nailed down’ applications and workspaces. Each of these models differs greatly in cost, support and security however both avenues should still lead to reduced total cost of ownership per employee.

Allowing a multitude of devices onto the corporate network obviously increases the risk of attack on the infrastructure, widening the loopholes available for attackers. It is often argued that CIOs would be better of catering only for a handful of the most popular devices, but although there is much to be said for reduced platform size, one aspect which should not be overlooked is the fact that these devices belong to the employees and traditional ‘rules’ and mandates for enforcing new updates may not simply work.

IT managers however should be able to address many of the obvious vulnerabilities through application tunnels, black-listing, whitelisting, and dynamic context-aware policies. This will of course be done along with blocking of rogue devices, unauthorised users, and non-compliant applications. Corporate governance and security frameworks however will be severely tested as employees leave along with sensitive enterprise data on their mobile devices.

Although device diversity can be an issue, with the possibility that cloud apps are unable to cope the demands of many differing OSs, mobile device management can help address this. One of the simplest methods is by only providing applications for platforms that the company wish to encourage. Should a company fear the widespread use of ‘rooted’ android devices and their associated security vulnerabilities, then they can attempt to steers employees to Blackberry or iOS applications for instance.

Mobile device management can deliver on manageability, maintenance and governance aspects for mobile applications and the mobile infrastructure landscape. It can also help with the major problem of lost devices and subsequently lost corporate data. An effective policy and prior education will ensure that the company can wipe the lost device without fears of a lawsuit. Of course, the company has to be informed that the device is lost.

This issue alone will give many IT managers nightmares. Mobile device management can also assist in the necessary review of the regulatory, industry, and corporate policies to which an organisation is beholden such as HIPAA or guidelines such as from the SEC. It is crucial that the corporation’s mobile strategy supports current compliance controls.

IT security is often said to be a blend of people, process, and technology – a combination which is critical when considering BYOD. Educating users is crucial – there has to be clear messages from management as to which applications are to be avoided…and ‘why’. Educate the employees as to why the organisation feels it is a threat. It may also be wise to implement a tiered access level to cloud services/applications across the organisation so as to only allow access on an ‘as needed basis’.

Mobile BYOD security is unchartered territory for IT professionals, though with an anticipated explosion in the number of smartphones and tablets used by employees in the next few years, it’s not an issue they can afford to ignore.

Kevin Curran is a Reader in Computer Science at the University of Ulster. His achievements include winning and managing UK & European Framework projects and Technology Transfer Schemes. He has published over 700 published works to date. He is the Editor in Chief of the International Journal of Ambient Computing and Intelligence (IJACI). He is a regular contributor to TV, radio and press on topical issues in computer science. Dr Curran is a senior member of the IEEE, a Fellow of the Higher Education Academy, a Fellow of the British Computer Society and is listed by Marquis in their prestigious Who’s Who in Science and Engineering, the Dictionary of International Biography and by Who’s Who in the World.