The state of BYOD
A “technological empowerment movement” has spurred more than 40 percent of employees, millenials in particular, to make their own technology decisions for work, according to Accenture.
Employees are using one phone/desktop to manage their personal and work lives and prefer the applications and functionalities available on the technology they are used to – their own. Management and IT executives are recognizing the importance of employees using the latest technology – nearly 90 percent of them agree that consumer technology used by their employees can improve job satisfaction.
Where does this leave IT departments? Enterprise security personnel have handled BYOD in varying ways – by fully embracing it, by improvising a response, and by ignoring it. And it's understandable, given how employee devices change the user-IT paradigm.
But a multiplatform environment where some devices are personal and others are corporate-owned is the “new normal,” with a series of new challenges:
- Enterprises are being exposed to multiple operating systems, models and operators – requiring IT teams to become educated on a per-platform basis to support the safe use of each device type within the enterprise.
- The capabilities associated with each platform are different, as is the security of iOS, Android, BlackBerry and Symbian devices.
- Full control over the mobile device landscape is no longer possible for IT departments, and even full visibility into a mobile fleet is extremely difficult.
- There are also unintended budgetary issues. Sure, the cost to acquire devices is reduced when employees bring their own – but such an erosion of control also reduces IT departments' abilities to recognize volume discounts from their usual suppliers, not to mention the potential financial impact of compliance breaches resulting from private data leakage.
A multiplatform environment where some devices are personal and others are corporate-owned is the "new normal."
– Tyler Lessard, CMO, Fixmo
Over the last two years, IT has seen its role change from one that is proactive and in control of technology implementations to one that is reactive and, to a large degree, enabling employees within the organization. Many IT departments that are allowing BYOD will be in a perpetual state of “catch up” – but this cannot be the case when it comes to the security of corporate data on personal devices.
Securing a BYOD workforce
Gartner has stated that, by 2014, 90 percent of organizations will support corporate applications on consumer devices and 80 percent of professionals will use at least two personal devices to access corporate data. As such, the regulatory and security concerns caused by the BYOD revolution are becoming very real for IT departments.
So what are the security vulnerabilities inherent in BYOD? This new paradigm presents unique challenges and potential vulnerabilities because IT departments have lost the ability to control the OS image, enforce strong device-level security policies, restrict unverified third-party applications and mandate security patches and OS upgrades. In short, they have lost administrative rights over the device. Consider the following:
- Most employees have their phones locked with a pin code as a key security measure in place; but, according to McAfee, 11 percent of all pin numbers are one of five combinations.
- Corporate IT teams can manage remote wipes (if they are permitted) of mobile devices if devices are lost or stolen, but by that time, the data could have already been stolen, copied or reviewed by a third party.
- Convenience wins. Therefore, employees often bypass security measures to access the information, applications or data that is needed when and where an employee needs it.
The future of the BYOD workplace
Mobile risk management (MRM) is the future of securing the mobile workforce. MRM programs help organizations identify and understand the risks associated with the different devices and applications connecting to their network. It focuses on protecting and controlling the corporate data, rather than the device itself, and monitoring the configuration and integrity of devices to help IT departments assess their risk profile and make informed decisions on how they will respond to potential threats or breaches.
Mobile risk management endeavors to go beyond MDM – which track device inventory and apply basic policies to protect lost or stolen devices – to help organizations continuously encrypt and protect corporate data residing on them independent of what the device-level policies are, and to detect potential compromises that could lead to a breach. While these are all fundamentally important aspects of any mobility deployment, they are particularly critical in a BYOD environment where organizations are exposed to a greater set of unknown and unverified devices, OSs and applications.
As mobile wallets and other machine-to-machine transactions become more prevalent, MRM will become even more of an asset to securing the mobile workforce and protecting private data.