The ever-increasing use of personal devices has tested enterprise defenses, so plans must be created to meet the challenge, reports James Hale.
One doesn't have to go far to see the reality of the bring-your-own-device (BYOD) trend. Just step into any corporate elevator and look around: All eyes are down, thumbs and fingers working, from the young clerk with the nose stud to the senior sales executive with the $600 wingtips. You know the company can't possibly issue every employee a smartphone or tablet, but everyone seems to have one, and they're all using them on the job.
“I'd say it's almost a fad for companies to allow employees to use their own mobile devices right now,” says Faud Khan, founder and principal security analyst at Ottawa, Canada-based TwelveDot Security. He points to a recent survey by Kaspersky Lab that found that more than half of IT security professionals are more concerned about mobile device security than they were a year ago. What he and others who focus on BYOD ask is: Which solutions will meet the rapidly changing challenges? With an estimated 51 percent of organizations experiencing information loss through insecure mobile devices (including laptops, smartphones and tablets), it's an apt question.
“The analogy I like to use is that we're at the same place we were 15 years ago with internet access,” says Dave Amsler, president and chief information officer at Foreground Security, based in Lake Mary, Fla. “Suddenly, companies were amazed at how productive everyone became when you gave them network access. Security was an afterthought, and if you asked them about it, they'd say, ‘Oh, we have anti-virus software installed.' Today, we'd laugh at that, but that's where we are with mobile security.”
Big changes in the application of security measures have swept through government and all business sectors. In the past, only a few companies would allow employees to add their own BlackBerries to the enterprise network, and this would occur only after administrators could wipe their data first, says Steven Santamorena, the chief information security officer at Reader's Digest. “Not many people took that up,” he says. “Then, when the iPhone and the iPad came along, we saw more and more people bringing their own devices, and we addressed security with a pretty straightforward password approach. Now, you've got people wanting to add different flavors of Android devices, and we don't have the manpower to address that.”
Santamorena says clarity is the answer. He advises companies to establish a mobile device policy and enforce the agreement to wipe all corporate data if an employee loses the device or leaves the company. But, as he looks at the growing number of personal applications and public cloud storage solutions, like a lot of his peers, he realizes that the challenges aren't about to decrease.
“We're struggling to understand a lot of what's coming down the road,” says John Johnson (below), global security program manager for Moline, Ill.-based John Deere, a global leader in the manufacturing of agricultural machinery. With more than 60,000 employees in about 200 locations worldwide, he sees devices from various manufacturers entering the workplace and new challenges like Windows Phone constantly coming onstream.
“A mobile data management (MDM) plan is critical,” Johnson says. “From my perspective, the reporting and management functions are as important as the security itself. We have to have the confidence that mobile devices can be managed as effectively as desktops.”
But, no one strategy will cover all circumstances, he says. “Things are changing so rapidly that it's difficult to choose one MDM solution. Companies have found themselves going back to their vendors after a year or two, looking for new answers.”
As well, while Johnson is encouraged by some online storage provisions, he says that space still has a way to go. “We need secure solutions and encryption. We want to know where our data is.”
But the threat posed by public storage takes a backseat to employee-installed applications, says Foreground Security's Amsler. “That's the number one threat vector I see. The amount of malicious code has grown exponentially. It's more sophisticated, and, increasingly, it's app-based now.”
Khan of TwelveDot Security, who has provided security analysis in 36 countries, agrees, and says organizations' security oversight must extend to app development. “Every new OS poses a security risk because of what comes with it.”
He advises clients to study the beta versions of new apps that employees might use on mobile devices, analyze the application programming interface and reflect findings in MDM plans and mobile application management (MDA) solutions.
Privacy agreements – and laws – are yet another concern. The further organizations reach into employees' devices, the greater the risk of collecting personal data and violating the individual freedoms of device owners and their family members.
“Personally, I'd have qualms about giving an employer full access to my device,” says Johnson. “Employees are justifiably skeptical, unless there's a ‘sandbox' around the corporate data on their phones or tablets.”
He says this type of data partitioning, like BlackBerry now offers on its phones, will increase the possibility for employees to have what he calls “multiple-personality” devices. “We'll continue to face limitations until we can do that well,” Johnson says. “As things change, it's a reality with which we continue to struggle. We have to be flexible about personal devices. That's an important part of hiring and employee retention in today's society.”
That's no less a reality for organizations with a fraction of John Deere's resources.
“Most of those small- and medium-sized enterprises (SMEs) are flying blind,” says Andrew Jaquith (below), chief technology officer and senior vice president of SilverSky, a Milford, Conn.-based cloud security solutions provider. “The big thing they're wrestling with is they don't have a security department with a lot of tools. They know the problems in a general sense, but they lack depth of expertise.”
What's more, he says, the benefits of having fewer employees to worry about are overbalanced by new generations of devices, new apps and cloud storage, which are all multiplying the risks. For SMEs to effectively deal with the ever-changing face of BYOD, Jaquith recommends keeping it simple.
“They have to stress the basics, like having a strong mobile policy in place and ensuring that employees buy into it,” he says. “Encrypt email and calendars, something that's pretty easy to accomplish on BlackBerry and iOS. With a smaller company, it's also easier to control what types of devices are on the network.”
Past those basics, Jaquith suggests SMEs take a hard look at how to manage sensitive data, use mobile tools like content lockers, and pay close attention to how MDM plans are developed.
“We're in a foundation stage with a lot of stuff around BYOD,” he says. “As an organization, regardless of size, what you do now will make a big difference in the future.”