Gartner has outlined what it considers to be the three biggest security hurdles that businesses must overcome when implementing a bring your own device (BYOD) policy.
The benefits of letting employees use their own devices for work purposes are clear – employees are happier when they get to use their own device and should be more productive. The business too can save on hardware costs.
The downsides are also clear – IT has to support a wide range of devices and platforms, many of which will not meet their security policies, and has little or no control over whichever smartphones, tablets or laptops workers are using. This is a particular problem if a device is lost.
These are the themes Gartner picks up on. The analyst house says up to 70% of businesses it surveyed have or are planning on implementing a BYOD policy within the next 12 months, but warns business that there are three major impacts that companies must consider and take action on.
The right of users to leverage the capabilities of their personal devices conflicts with enterprise mobile security policies and increases the risk of data leakage and the exploiting of vulnerabilities
Gartner points out that using a personal device means workers can access whatever URLs or apps they want. But that of course presents a problem for businesses as that increases the risk of data loss, whether through legitimate but unsupported apps or mobile malware, which is an increasing risk.
Gartner recommends a mobile device management (MDM) platform, but that will involve the installation of an agent on a personal device, which is something many users may night want.
BlackBerry recently told CBR that it thinks its approach to BYOD is a winner. Its upcoming BB10 platform has the capability to run two separate accounts on one device. Data connected to the work account cannot be copied across and if a device is lost the business data can be remotely wiped, without touching the personal side.
User freedom of choice of device and the proliferation of devices with inadequate security make it difficult to properly secure certain devices, as well as keep track of vulnerabilities and updates
Allowing workers to choose their device and operating system means that security is often an afterthought, Gartner says. At the very least security features such as password controls, lock timeout period enforcement, lock device after password retry limit, data encryption, remote lock and/or wipe should be installed. But many consumers do not even have basic security software installed on their devices, which presents a hug risk to businesses if it contains sensitive corporate information.
Gartner says business should limit BYOD to devices that meet its security requirements and ban those that do not. However that eliminates many of the benefits of a BYOD policy.
The user’s ownership of device and data raises privacy concerns and stands in the way of taking corrective action for compromised devices
This is similar to the first issue Gartner raised – what to do with a device if it is lost or stolen. Remote wiping is a possibility but, as pointed out before, in most cases that would involve IT installing that capability on the device itself.
Gartner suggest liaising with the legal department can help in this situation. Obtaining the explicit written consent of a user to remote wipe their device before they are allowed to use it for work purposes is vital, Gartner says. That way if a device goes missing IT can wipe it as soon as possible without any delays caused by waiting for user permission.
"Shifting from an enterprise-owned mobile device fleet to having employees bringing their own devices has a major impact on the way of thinking and acting about mobile security," said Dionisio Zumerle, principal research analyst at Gartner. "Policies and tools initially put in place to deal with mobile devices offering consumer-grade security must be revised to deal with these devices being under the ultimate control of a private user, rather than the organisation."