Tuesday, December 6, 2011

Securing Smartphones in the Bring-Your-Own-Device (BYOD) Era

5 Security Challenges BYOD Presents

Most organizations remain uncomfortable in letting their employees use their own mobile devices to access their IT systems. Yet, in many instances, those charged with securing their enterprises' IT understand that it's just a matter of time before they must grant workers permission to employ those devices.

BYOD stands for bring your own device, and it's one of the hottest challenges IT security organizations face as a growing number of employees use their own BlackBerrys, iPhones, iPads and Droids to access their employers' IT systems. In instances where such practices are banned, employees are demanding that the prohibition be lifted.

That's causing much reflection among IT security professionals. Executives and managers charged with IT security have identified five challenges that must be surmounted before their organizations can allow secure access to their systems by smartphones and tablet computers owned by their employees. These challenges include policy enforcement, physical theft, malware prevention, IT support and employee education.

Policy Enforcement

Many IT security leaders aren't sure if their teams are ready to take on additional responsibilities of continuously monitoring these devices and people's behavior.

Physical Theft

Think about it: Chances of losing a mobile device owned by an individual - or having it stolen - is a lot greater than one owned by the employer. A personally owned device goes everywhere with its owner; that's not necessarily true with a company-owned device. That provides little comfort for IT security managers responsible for safeguarding sensitive corporate data.

Except for BlackBerrys, most other mobile devices don't readily support encryption. Someone steals an iPhone or an Android smartphone, the unencrypted data on those devices could be exposed to the thief.

But by placing proper controls on user-owned devices, gaining access by unauthorized individuals to sensitive data can be prevented. If employees want to use their own smartphones or tablet PCs for work, they must agree to seven security controls (see 7 Steps to Secure Mobile Devices), including strong passwords and remote wipe.

Such an approach places part of the security burden on the employee. And, half of the employees who had been using their own devices to access the state network decided not to so when the Delaware implemented its BYOD policy a year ago.

Malware Prevention

Devices used for personal activities are more prone to malware; after all, they're accessing a number of consumer sites that don't necessarily provide the security as do many sites designed for business-to-business transactions.

Many CIOs worries not only about insecure applications downloaded on these devices, but so-called jail-broken smartphones and tablets that are opened and altered to permit use of software the manufacturer didn't architect the device for.

Many banks scrutinizes all employee-owned devices before it allows them to access its networks to ensure they're safe and not jail broken. The bank also makes sure all personally owned devices contain anti-malware software that includes features to alert bank security personnel should a virus surface.

IT Support

Letting employees use their own devices presents a nightmarish scenario for many organizations, supporting a wide range gadgets, operating systems and software. Organizations must define which devices to support based on how they'll be used. It may be OK to limit certain devices to access specific applications, such as e-mail, and restrict their access to other programs behind the firewall.

Employee Education

Getting employee to know about the policy and why it's important for them to implement security controls requires education.

Indeed, security awareness and training is a crucial element in allowing employees to use their own mobile devices, and it's important that IT security leaders prepare their staffs - and themselves - for the advent of widespread adoption of BYOD.

No comments: