Last week, we raised the subject of mobile device usage within organisations, i.e. do you really know what devices are being used, by whom, for what, and when… So, now that you’ve discovered what devices your employees are using – many of which may be their own – you may have come to the conclusion that you wish to implement a BYOD (Bring Your Own Device) policy. With that in mind, it is wise to have an idea of the risks involved in implementing such a policy.
The use of personal devices as part of a corporate network is probably one of the trends that is growing exponentially and the advantages, on paper any way, may well out-weigh the disadvantages – reduced costs, more flexibility, increased productivity due to higher employee mobility – but many of these devices are unsecured, bringing with them the risks of data loss, the threat of attacks on your network, and congestion of the bandwidth. To ensure that any BYOD policy you introduce provides you with the advantages and rewards you are looking for, here are some of the risks to be aware of.
1. Mind the security gap. Security solutions with mobile devices don’t have sufficient web security controls when it comes to native (directly accessed and downloaded from the device) and web (accessed via the mobile browser) applications, thereby creating a security gap in which web and mobile applications can leak confidential, sensitive information. Implementing policies that go beyond basic blocking, i.e. a granular application and operation levels, enables organisations to reduce and even close the security gap to significantly reduce the potential of intellectual property theft, and any subsequent damage to reputation.
2. IT managers vs. users. IT managers want (and need) to provide better security with limited access on mobile devices; users, on the other hand, don’t want the security restrictions because they want quick, easy access to as much as they content as they can… and therein lays the rub! IDG Research Services recently conducted a Global Mobility Study: 41% of IT managers want to be able to log access by users of personal devices; 24% of users are happy with the restrictions. This ongoing battle – the ‘security expectation divide’ – can potentially create security risks.
3. Protect at device level. Today’s laptops and desktops are able to support high levels of security protection, i.e. DLP and anti-virus software, but these security levels can’t be supported by mobile devices. Even if they could, the ramifications of updating personal mobile devices within the enterprise really are too costly and time-consuming to consider. For BYOD security to work, a network-based approach is needed that is responsive, and delivers security in real-time to every network device.
4. Draining your bandwidth. Employees like to use personal devices connected to the company network; it’s free! They can download iOS updates, sync to cloud applications, stream videos and more without having to pay any charges or exceeding their data allowance caps. But these gigabyte-draining actions will severely affect your corporate bandwidth, thereby having a negative impact on the performance of your business applications. Multiply this action by the number of personal devices being used… and watch your productivity and financial costs rise!
5. Mobile attacks starting to rise. To date, there haven’t been many attacks on mobile devices but as the use of personal devices in the workplace increases, so do the connections to company networks; raising the antennas of malware networks and like bees to honey, they will look to target mobile users. So far, mobile attacks appear to be phishing or enticing users to infected sites, but this could significantly rise in the future.
Despite us highlighting the potential risks of implementing a BYOD policy, don’t be put off… There are many advantages to BYOD and the security industry is fast catching up and developing solutions that will cover the risks of introducing personal mobile devices into the workplace. In the meantime, make sure your security solution is not only network-based, but also encompasses protection from any web-based threats and delivers granular control over web and native applications, and mobile browsers.