Best practices for managing the security of BYOD smartphones and tablets
The practice of employees using personal phones and tablets at work is already widespread, with the number of such devices forecast to hit one billion by 2018.
The challenge posed to enterprises by the Bring Your Own Device (BYOD) trend is that it forces them to keep corporate data safe on a plethora of different mobile computers that are not directly under IT's control. Worse, each device can potentially be running a different OS, with different apps installed and different vulnerabilities.
How should organisations approach the security of these devices in a way that doesn't interfere with employees' ability to work?
Here are some best-practice tips for managing security on BYOD smartphones and tablets.
Don't block BYOD, prepare for it
Employees will use personal devices at work whether you like it or not, says analyst house Gartner. Half of employees surveyed told the analyst they had used their own device at work without corporate approval.
"The single biggest mistake any IT organization can make is to do nothing," the Gartner report How to Avoid the Top 10 EMM/MDM Deployment Mistakesstates.
Instead IT departments should prepare the business to manage BYOD, reviewing which devices employees are most likely to use and ranking them on their manageability, availability of business apps, supportability and security.
"IT's goal is to be prepared to justify decisions to allow or disallow specific devices and configurations based on proactive evidence," the report states.
Where BYOD isn't an option, companies should offer a Choose Your Own Device (CYOD) program, says Gartner, in which staff choose from a list of devices that the company purchases, owns and manages.
Work with users, not against them
Attempts to foist strict controls on how employees use devices can backfire, causing staff to use workarounds that expose the company to even more risk.
When setting security policies for BYOD phones and tablets, consult those employees who will be subject to them.
Gartner gives the example of forcing users to input a complex passcode every time they want to use the device.
"Once users experience this, they quickly become annoyed with IT, due to the extreme inconvenience of making it difficult to text/email while on the move," the report states.
A good compromise in this example would be a simple four-digit numeric passcode to unlock the device, with a more complex passcode for accessing corporate data, suggests Gartner.
Striking this sort of balance between employees' convenience and corporate requirements will, it suggests, lead to the best outcome.
Involve staff from the start
Before choosing an Enterprise Mobility Management (EMM) suite, IT should work with employees to document their workflows and ensure that mobile device management policies, tools and practices make sense, with respect to staff members' roles and the regulations they operate under. Different roles can be subject to different regulatory requirements: the CEO may be bound by SEC rules, while HR may have obligations under the Health Insurance Portability and Accountability Act, for example.
At this early stage, enterprises should audit how employees use their devices, says analyst firm Forrester, noting the data they access and the applications they rely on.
Armed with this information, Gartner recommends that employees should be grouped into broad categories based on how they use their mobile device, data sensitivity, regulatory requirements and the type of device they use. Policies can then be developed to suit each of these group's needs and an EMM chosen to help enforce them.
Before deciding on an EMM, companies should also settle on the policies needed to enforce the minimum acceptable standard of privacy and security.
When introducing new technical and process controls, do so gradually, recommends Forrester, deploying them in phases as a series of pilots. Each subsequent pilot can then be improved based on earlier feedback, it states in the report It's Time To Level Up Your Mobile Application Security Program.
Gartner also warns against imposing new restrictions on how BYOD phones and tablets are used over time, recommending instead that these limits are set out at the start of a BYOD program. This upfront approach, alongside early training, sets employee expectations and avoids a backlash at the removal of earlier freedoms.
Education can be the best policy
While IT would like to find technical solutions to the security challenges posed by BYOD tablets and phones, educating users about the risks can prove more effective.
In many instances there may not be a simple technical option for closing a security hole, said Gartner, pointing to limitations in iOS when it comes to blacklisting applications to bar their access to a wireless connection.
In these instances, informing users about the risks inherent in such behavior can be the better alternative.
In general, user training on mobile policy should be carried out early, alongside education about basic mobile safety.
Be aware of what can go wrong
Based on what you learn from studying how users use their phones and tablets, Forrester advises conducting a mobile risk assessment.
This risk assessment should "describe the scenarios and circumstances that might expose the organization to data breaches, regulatory fines, operational losses, reputational damage, or other negative impacts", recommends the report.
The resulting risks can then be categorised, ranging from those which are acceptable to the unacceptable.
Be flexible
The relatively fast pace at which software updates are pushed to smartphones and tablets makes it difficult to plan for long-term, mobile device management.
Gartner gives the example of Apple releasing many different iOS updates during 2015.
"These releases often came with zero advance notification and were simply presented to end users, asking them to upgrade their device to the latest version," states the Gartner report.
These frequent updates forced major EMM and mobile device management (MDM) vendors to release between 12 and 15 new versions during the year.
Because of the uncertainty around mobile platforms, Gartner recommends firms should re-evaluate mobile management platforms every six to 12 months.
Be aware of technical controls
Firms can use an EMM alongside other security tools to implement technical controls on how BYOD phones and tablets are used.
While the nature of these controls will depend on what degree of risk is acceptable, there are a range of options available.
These include: encrypting data in transit between the mobile device and the corporate back-end using a VPN, encrypting data on the device, controlling automatic cloud backups, authenticated log-in to the device or to a corporate service or container application accessible via the device, secure boot, application sandboxing and whitelisting, limiting connections from unpatched devices, automatically triggering remote wipe in risky scenarios and logging information about suspicious events.
The need to keep devices up to date with patches is obviously also important.