The growing movement towards “bring your own device” (BYOD) is causing headaches for companies looking to secure their networks, but far from introducing blanket bans, organisations should be looking to reassess their strategies for working with this new trend.
The consumer market will always be ahead of the corporate market when it comes to adopting new technologies – whether they be smart phones, tablets or the next big thing – and there are important benefits to companies allowing their staff to connect to their networks using their own devices.
These range from increased productivity from using devices with which they’re comfortable, to procurement spending less re-equipping employees who are generally upgrading themselves. There’s also an argument that staff morale will improve because they can use their gadget of choice.
While those controlling network access – from business owners to security officers – may break out in a sweat at the thought of having to manage all these devices securely and protecting the integrity of their own systems, the secret is to control their usage through education and understanding. This is as big a problem at SME level as it is for enterprise managers.
According to a survey published earlier this year (2011) by Juniper Networks, more than half of mobile device users are accessing employer networks without permission, and the majority of them do not follow the company’s security procedures.
The best way to avoid security issues through incidences like these is by educating staff and setting out a clear mobile device policy – which too many companies still do not have. Without this type of policy in place, companies are simply inviting disaster.
Also, the problem is not just about protecting critical system from being accessed by unauthorised devices, but about how data on those mobile devices is protected. Although people are using their own devices to access company information they often have a very different view of security and they certainly do not regard the loss or theft of a smartphone with the same level of alarm as they would with a laptop – despite the fact that many smartphones now have similar capabilities to laptops. Again this is a case of education and of setting out clear policies.
A crucial part of any policy needs to be set out around how the network is accessed. You cannot allow staff to get onto the network from random access points, all connections need to be funneled securely through one security device. You also need to be able to set different access levels. Most people do not bother to encrypt mobile devices, but when they bring them in the office they should be subject to the same control and filtering as every other piece of equipment.
Furthermore, even if you cannot ensure against a mobile device being subject to a malware attack when outside the business network, solutions can be put in place that prevent this malicious software from infiltrating the corporate network.
From enterprise to SME level, systems are readily available that allow devices to be differentiated between; for example whether it is a secure device handed out by an IT department or personal mobile device. These solutions allow each device to undergo a series of scans, from various configurable checks such as looking for keyloggers to checking anti-virus signatures are up to date.
Any issues found – such as signatures being more than a month old – would mean that access levels for that device would be restricted. Effectively quarantining the device would mean that the integrity of the company’s system is preserved while at the same time the user is still able to do their job.
Notification to both the system administrator and the end user would also mean that a solution could be found or the relevant device disinfected. The same applies to the application of Data Leakage Protection (DLP) where certain machines can be barred from copying material onto external drives or, for example, from printing documents.
As mobile technology continues to evolve and more and more devices flood the market, this situation is only ever going to become worse for companies. For this reason, it’s imperative that they shift their security thinking, develop new policies, and implement technologies that maintain security without hindering the anytime, anywhere access that users are increasingly demanding.
Taking a measured and intelligent approach to mobile security and management, will man that your company can overcome the security challenges associated with mobility and turn your staff’s personal mobile devices into powerful business assets.