The bring-your-own-device (BYOD) trend is growing by the quarter and putting enterprise IT at ever greater risk. In fact, Forrester Research predicts that by the year 2016, more than 200 million employees will be requiring access to corporate applications via smartphones that workers choose themselves.
Even organizations that have a “block everything” approach won't be safe. As many IT security professionals have discovered, the Draconian approach simply encourages tech-savvy employees to find workarounds, which puts the organization as a whole at increasing risk.
And how can IT deny C-level executives who demand access to critical resources from devices they've brought themselves?
BYOD isn't going away. In fact, it's rapidly becoming the norm. It's imperative to find a comprehensive security solution for the mobile enterprise.
I do mean a comprehensive solution, too. Spend 10 minutes on Google and you'll find a plethora of solutions to various aspects of the BYOD challenge. The trouble is that the issue is poorly understand and articulated, and most solutions only solve individual parts of the situation, which isn't much help as both devices and threats change by the week.
Here are five BYOD threats that you must start acknowledging today to lower risk both for your organization and for your own job security.
1. Outdated access management and identity enforcement mechanisms: If the LinkedIn breach teaches us anything, it should be that user names and passwords are broken. If your organization doesn't have a centralized way to manage and control application access and user identities, and if you haven't yet experienced a breach, the odds are high that your luck will soon run out.
I want to be frank: If you aren't yet managing employee identities, you're heading straight into the perfect storm of risk. Social media, mobile and cloud all challenge traditional security and strain standard access-control and identity-enforcement mechanisms. If you don't upgrade the way you limit access to applications, enforce policies built around them, and ensure that users are indeed who they claim to be, then your organization is in danger of a public relations nightmare after a major breach.
Another major risk is having sensitive intellectual property stolen and sold to a competitor. As you're well aware, both these possibilities are toxic to an organization's long-term health.
2. Lack of mobile visibility and loss of control: Network visibility is critical today. If you don't know which devices are on your network and you can't analyze the traffic that travels over it, you don't have enough control over your organization's IT infrastructure. Plenty of tools are in the market to solve this challenge, so it's important to act now and choose one that's a good fit for your business.
Meanwhile, dozens of mobile security and management suites have hit the market in the past few years. The acronyms for these technologies can be as confusing as the challenges they are trying to solve. Whether you go with mobile device management (MDM), enterprise mobility management (EMM) or even mobile lifecycle management (MLM), the important thing is to act.
Figure out your priorities and find some way to manage mobility. Most of the various MDM suites should include basic critical features. At a bare minimum, security professionals should be able to:
- Remotely locate, lock and wipe lost devices
- Enforce time-outs and screen locks, as well as offer some sort of PIN or password to get back in
- Check to see whether device-side AV is enabled.
Nothing is worse than doing nothing. None of us have the option of waiting this challenge out because anyone who does is simply courting risk.
3. Rogue applications: Mobile apps present a huge challenge. Authorized marketplaces from Apple, Google, Amazon and the like are fairly safe, but it's easy to scan a QR code and download an app from an unauthorized publisher.
Some of those apps are simply fancy wrappers for malware.
The easy solution here is to simply favor iPhone and BlackBerry over Android. Apple and RIM are far more aggressive than Google at policing their markets. Android has started to vet its market better, but it's not yet on par with Apple and RIM. However, leaving Android out in the cold probably isn't workable, and it glosses over another serious problem: rooted phones. (Some of the mobility management solutions mentioned in item two help you identify any rooted phones in your organization.)
Plenty of tools are available to scrutinize the security of mobile applications and manage mobile lifecycles. Some businesses are even going so far as to create their own mobile app stores.
4. Out-of-control mobile expenses: This BYOD threat is not security related at all, but it could sink you just as thoroughly as a major data breach. As more employees expense mobile costs, managing those expenses becomes a huge headache and a gigantic organizational expense.
A sales team traveling overseas, roaming the whole time and downloading large amounts of data could easily cost your organization thousands of dollars in mobile expenses that could have been avoided. And that's for one short trip.
With proper mobile expense management (MEM) tools in place, you can set mobile policies, and, for instance, alert overseas travelers to stop downloading expensive roaming data and instead find a cheap or free hotspot.
5. Poorly crafted or completely absent BYOD policies: Let's end where everyone should actually start: creating guidelines for your organization. If you don't have mobility policies in place, how can you expect employees to follow mobile best practices? A lack of clear, easy-to-follow policies signals that your organization doesn't take mobile risks seriously.
If IT and management don't formulate policies and guidelines to mitigate against mobile risks, why should employees take care? It's important to develop policies, and train employees on those policies, so that your mobile workforce understands what is acceptable and what's not. Otherwise, the risk may well go beyond your organization and into your job-security zone.
Garret Grajek is the CTO and COO of SecureAuth, a provider of identity enforcement solutions for cloud, web and mobile resources.