For more than a decade, the explosive popularity of smartphones and mobile devices has had a direct impact on where and when employees perform work tasks. Before, when employees only accessed corporate information on designated work devices, enterprise security meant protecting the perimeter. The perimeter, however, has shifted from a clearly defined and hardened space to being nearly non-existent, in large part because of the expansion of personal mobile devices.
As more employees opted for the convenience of working from their own devices, they became more productive. The problem is that enabling bring-your-own-device (BYOD) practices has also changed the threat landscape. Given the challenges of securing employee-owned devices, it’s worth asking whether it’s time for enterprises to bid farewell to BYOD programs.
Bring Your Own Risk
According to research from Bitglass, 85 percent of organizations now enable BYOD for employees, contractors, partners, customers or suppliers. Unfortunately, at the same time, only 56 percent of companies have basic remote wipe capabilities for removing sensitive data from endpoints.
The risks posed to each organization differ drastically by not only the size of the company, but the industry as well. Certainly, a university professor working from his or her own mobile device doesn’t pose the same level of risk to the institution that a financial adviser would pose to his or her company. Each device, database and user poses different risks, which is why an unequivocal ban on BYOD productivity isn’t necessarily the best solution for every company.
As it stands, most companies permit the use of personal devices because doing so offers a wide range of benefits, including enhanced flexibility, mobility, employee satisfaction and reduced costs, according to Anurag Kahol, chief technology officer at Bitglass. Yet the report also found that 42 percent of organizations rely on ill-suited, agent-based tools to secure corporate email on user devices, while 24 percent don’t secure email at all.
“Operating in the cloud and allowing non-corporate devices is a fundamentally different style of conducting business that requires a fundamentally different type of security. If companies allow personal devices, they must also adopt the appropriate tools and policies; they cannot rely upon solutions that are only designed to secure corporate devices or protect data on premises,” Kahol said.
Short of taking proper security measures, companies are putting themselves at risk. They are at the mercy of the cyber hygiene of the mobile user that is constantly connecting to their network.
Implement Best Practices for Securing BYOD
Given that BYOD is now a critical reality for so many organizations, devices shouldn’t be treated as separate or isolated components of the business. Instead, “organizations must adopt a security posture with a comprehensive segmentation strategy to adequately secure mobile devices and internet of things (IoT) devices on their networks,” said John Maddison, senior vice president of products and solutions at Fortinet.
An organization’s security architecture needs to provide broad visibility across all environments to identify and track all devices on its network. In addition, companies need “security tools that segment devices to better control attack surfaces through heightened inspection of applications and other traffic. Ultimately, organizations that incorporate user-owned devices must leverage a security framework that consists of integrated tools that can automatically apply advanced security functions to any device anywhere across the network,” Maddison said.
A mobile device management (MDM) tool has to be the first level of defense. Without MDM, companies are running a huge risk of having their sensitive information compromised. There is a big difference in risk among companies, so each organization has to look at how they’re ensuring security in areas such as emailing of sensitive information, and there has to be a policy in place for what happens if that data leaks out.
How to COPE Without BYOD
As much security as these strategies offer, there are organizations that can’t run the risk of allowing work transactions on anything other than corporate devices. Their data is far too sensitive and the cost of a compromise is far too great. For these reasons, corporate-owned, personally enabled (COPE) devices could be the future.
Securing an employee-owned device is always a challenge. With a corporate-owned device, however, the employer has full run of the assets and direct control to install software and functionality. The challenge with corporate-owned devices is one of upfront cost, but COPE practices may ultimately save organizations the regulatory and reputational costs of a data breach down the road.
The Pandora’s box of mobile devices has been opened, and closing the door on BYOD could ultimately result in even more security issues for some, as users will likely continue to engage in the convenient practices that have been established. Another option is to enable employees to work on their own devices, but treat each personal device as a guest so that users are granted very limited access to corporate data.
Since the precedent has already been set, mobile carriers are now leveraging the chance to help their customers enable BYOD programs, according to Mike Pagani, chief evangelist at Smarsh. “The idea is to get down to a single phone. The problem with the dual phones is that it’s all too easy to answer a business issue using a personal device. In our world, that’s a huge problem.”
Technology has advanced so much that companies can create a very secure set of containers that create two distinctly different environments on the same device. “With the right containerization, you can run a personal environment and a business environment, and in many cases even have two different numbers on the same device,” Pagani said.
As technology continues to advance, the hardware to enable COPE will further develop and the software will support it. The convenience of a single, corporate-owned device that enables personal functionality could gently ease personal devices out of the equation.