BYOD: How to avoid Bring Your Own Danger

What else might you introduce to the poorly protected enterprise when you Bring Your Own Device?
Written by Will Taylor, Contributor

BYOD, or Bring Your Own Device, has become the enterprise buzzword of the year.

Mobile devices such as smartphones and tablets are not only transforming the way we work, but by allowing employees to use their own devices rather than ones from the corporate pool, the BYOD epidemic is also transforming hardware budgets during a period of recession-led IT department austerity.

But what are the negatives in the BYOD boom?

Symantec suggests that as few as 51 percent of enterprises have bothered to communicate a mobile security policy, or even some best-practice tips regarding usage, to employees.

And when ESET researched mobile security in the workplace it found that 24 percent of employees now use a personal smartphone, and 10 percent a tablet, to access or store corporate data. However, that data is encrypted for only one third of these devices. Hardly surprising, then, that the Ponemon Institute found that 51 percent of organisations had already experienced some kind of data loss attributable to poorly secured mobile devices.

What's your policy? 

Does your enterprise enforce authentication policy and control for employees' mobile device usage? If the answer is no, then that enterprise is at risk of data compromise through unauthorised access via an infected smartphone.

If there is no specific policy that applies to BYOD smartphone use, then how can a business effectively react to any security threat in such devices? It beggars belief that any business can spend so much time and money ensuring that sensitive data is secured on the server and when being moved to and from it, yet ignore the weak link in that transit chain: the employee smartphone.

If there is no specific policy that applies to BYOD smartphone use, then how can a business effectively react to any security threat in such devices?

When Symantec looked at the mobile threat surface, it discovered that 52 percent of employers did not have any systems in place to manage the apps installed on staff smartphones.

There is plenty of hard evidence to suggest that the malicious app market is growing at an alarming rate. The Apple 'walled ecosystem' for app developers has meant the iPhone has not, yet, become a target for app-based Trojans. Android has, however, with more than 800,000 device activations a day and a much less secure app development and distribution infrastructure.

The latest McAfee threats report shows an increase in mobile malware, especially targeting the Android platform. In fact, during the first quarter of 2012 the number of such threats to Android users more than quadrupled to 8,000. F-Secure research this year found that the second most attacked mobile platform after Android is the Symbian OS, with a similar line of malicious Trojans purporting to be harmless gaming apps.

Education, education, education

Educating employees in safer smartphone use at home should reap dividends, as BYOD best practice applies wherever devices are used.

IT department-approved anti-malware apps will inform users about malicious apps and suspicious activity, while applying firmware updates as they become available is essential in order to maintain security patches.

Enforce PIN protection and remote-wipe functionality as a safeguard against malicious third-party use, and ban rooted or jailbroken devices as these are inherently more at risk of compromise from malicious apps and Trojans.

Beyond the educational aspects of smartphone usage, enterprise security policy must be to know what devices can access the network and what services they can access.

Authentication and encryption should not be optional, especially on BYO devices. All of this must be backed up by an ability to enforce the policy across multiple devices and multiple platforms. This means central asset management and control, and access through a managed VPN solution with IPSec encrypted tunnels, for example.

When using a virtualised environment for remote connectivity, don't forget you have to consider a bigger picture than just discretionary levels of access for data security provision. What if users start storing data manually on their devices? Control and security are both then compromised.

Too much security negates the entire purpose of IT, yet giving staff access to company systems through tools they have chosen and are motivated to use is a great advantage. Make the right trade-off.

NEXT: Social networking's nasty habits

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.
Editorial standards