Handling the BYOD surge: Five assumptions for IT pros

Handling the BYOD surge: Five assumptions for IT pros

Summary: Employees who bring their personal devices onto the corporate network are keeping IT managers up at night.

SHARE:
TOPICS: Security
5
Commentary - In today’s Information Technology (IT) landscape one thing is glaringly obvious: Bring Your Own Device (BYOD) and the “consumerization” of IT are having an enormous impact on IT security. Security concerns associated with employees bringing personal devices onto the corporate network are keeping IT managers up at night. No matter the size of the company, from SMBs to highly regulated government entities, BYOD is affecting everyone and needs to be confronted head-on.

Before you go searching for technology solutions, there are several basic notions that can go a long way toward strategies that work to make corporate data more secure. Here are five assumptions IT professionals can keep in mind when devising strategies to meet BYOD’s threat to corporate data, user identities and intellectual property.

Assume:

1. the worst! Don’t hire a penetration tester. Save your money and assume “they” will get in – 75 percent of organizations have suffered data loss from negligent or malicious insiders.

2. employees will use their personal devices on the corporate network, even if they are told not to. More than 50 percent of employees use portable devices to take confidential data out of their companies every day. Before you end up with a problem on your hands, use products, available today, to block the ones you’re not willing to have around, whitelist the ones you feel comfortable with, and where data is critical both encrypt it and audit its movement.

3. that your employees value convenience more than security. If a security policy is overly cumbersome or inconvenient, employees will find a way around it. Don't underestimate the ingenuity of employees looking to circumvent procedures that slow them down. So, make the easy path the safe path. The last thing you want to do is prevent use of all personal devices: Soon users will find a workaround, like using phones to take pictures of documents to allow work at home. If you try to control too much, the intial problem slips through your fingers and creates a much bigger problem.

4. that flash drives will be lost and IT will never know. Losing a $10 flash drive can be even worse than losing a laptop. Stolen or lost laptops are reported; $10 flash drives are quietly replaced. According to the Ponemon Institute National Study of Data Loss Breaches in 2010, missing devices cause 42 percent of security breaches. Use encrypted flash drives or don't use them at all. Right now only 35 percent of companies enforce data encryption on company issued devices.

5. that an organization's first and last defense against a security breach is its own employees. Training employees on good security practices offers the most bang for the buck. According to the Ponemon Institute National Study of Data Loss Breaches in 2010, negligent employees cause 16 percent of security breaches. Everyone should learn how to recognize phishing attacks and fake anti-virus software advertisements – if it looks too good to be true, it really is. Also, oftentimes the most obvious ways to protect are the best ways. Everyone should have strong passwords that only they know on their devices. According to research done by SplashData, the most popular password in 2011 was “password”—that certainly is not a formidable protective shield for securing sensitive corporate data.

In order to embrace BYOD, security policies should be formulated based on these assumptions. IT security staff need to implement policies, and provide secure devices and management solutions that make the easy path the secure path. Taking advantage of the brave new world of user mobility doesn’t have to mean losing control.

biography
Scott Ashdown is Director of Products and Solutions for Imation Mobile Security.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

5 comments
Log in or register to join the discussion
  • Title: Handling the BYOD surge: Five assumptions for IT pros

    items 1, 2, and 3 are given and we can not do anything about it.
    item 4 is workable as long as the data is short term. long term data with encryption can be broken with proper tools. and as long as the cost of data is 10x or more than the cost of breaking them, time is immaterial.
    item 5 is one helluva of problem although doable for employees who really cares for the company(ies) they work for. otherwise, just pray to the IT gods that your company remains under the radar of criminals...
    kc63092@...
    • Corporate cloud

      1 2 and 3 you can do something about as things lik a gateway (citrix or something like citrix) can provide.

      When CIOs and everyone realized they need to keep the desktop, data, and everything inside their cloud and prevent anyone from moving from the cloud, then thats a plan. The problem is, many CIOs dont think deeply about what that means and think they dont need to do the same thing with employees working inside the office. The same layout needs to be applied. This way employees can use BYOD and their only requirement is to have an internet connection.

      You can lock down the use of USB sticks/drives etc..
      The one loophole I can think to get something from the cloud might be printing...

      5- is the most laughable thing Ive seen yet. Rely on employees for security??!? HAHAHAHAHAHAHAAAAA HAHAAAAAAAAAA HAAAAAAAAAAAAA!!!!!!
      First, nothing is fool proof because fools are so ingenius !!
      Second - HAHAAAAAAAAAAAAAAAAA!!!!!

      Ive even recently talked to a CIO who thought everything was moving to Mobile apps where information would be secure by SSL, but DUH --- they now took sensitive data out of the cloud and have it on their endpoint device.

      Let me be clear, the only thing a user should have access to (inside and outside the corporation) is a screen shot of a desktop or app, and an input device (keyboard, nouse, mic, etc...)
      JABBER_WOLF
  • Senior Executive Senility/Naivety

    It will be a corporation's senior level management who will be the biggest threat; as they often treat the mobile devices as toys. Even try to fire a senior level person for blatantly violating any kind of company policy?
    TsarNikky
  • Meh, don't need BYOD.

    Meh, don't need BYOD anyways. I don't understand ZDNet's obsession with it.
    CobraA1
  • BYOD Can Be Managed

    As a retired CIO of an $8 billion (cash flow) state tax agency, BYOD did keep me up all night! However, with an audit background, I turned to one of the oldest professions to maintain operational internal control over data - Auditors! Auditors can restrain and constrain unwanted and unwarranted behavior without moving a muscle. The thoughtful and effective CIO will make a business case for hiring the specialized, certified IT Auditor. Moreover, it helps to get more fingerprints on the knife.
    Dennis Frederickson