For users, it’s both a good and a bad thing: They get more choice in picking out the types and models of devices they want, but they pay for it out of their own pockets. Likewise for companies the trend has a good and a bad side: They save money on capital expenditures (and may realize benefits of improved productivity from employees who are happier with their technology) but they no longer have as much control over those devices. And that can present a security threat.
If the devices that connect to the corporate network aren’t secure, it can put the entire network at risk. That’s why mobile endpoint protection has to be an important element in your security strategy if your organization embraces (or even just tolerates) BYOD. When users bring their laptops, tablets and smartphones into the workplace, it’s imperative that those devices have security mechanisms already in place.
Mobile endpoint security consists of multiple layers of protection, just like defense-in-depth network security. Mobile devices, particularly in environments where workers deal with sensitive information, need to be protected from malware since attackers who design malicious code are increasingly targeting mobile operating systems and apps due to their still-growing popularity.
One big problem with BYOD devices that connect to your network is that they don’t connect only to your network. Device owners generally use them both for work and for personal usage, and connect them to their home networks, friends’ wi-fi networks, and public wireless “hot spots” at hotels, airports, coffee shops, etc. Some of these may be open networks where they are exposed to the risk of unauthorized access, either intentional or inadvertent, from unknown others.
Even those (rare) users who limit non-work access to only their own home networks will most likely use the devices to view web pages of varying types, perhaps play games, and may download apps that haven’t been properly vetted or that contain zero day vulnerabilities.
Malware isn’t the only thing you have to worry about with BYOD devices, though. Even if the device stays squeaky clean, there is always the chance that it might be lost or stolen. If it contains data related to work – downloaded documents, email, text conversations, and so forth – that information could be exposed to third parties outside the company. It’s vital that devices be protected with strong authentication requirements for access. A four-digit numerical pin, while better than a mere swipe, is weak security – yet it’s the most common authentication type used on mobile devices. A long password/passphrase, biometrics or a combination (multi-factor authentication) is significantly safer.
Device encryption is another “must have” for BYOD devices. Not only is it a best security practice, but if the devices are used in an industry that’s subject to regulatory compliance requirements (health care, financial services, payment card industry, etc.), it’s mandatory. All user data that’s stored on the device should be encrypted, and that also applies to data that’s stored on removable flash memory cards (SD/microSD) if the device is equipped to use them.
The best way to ensure the security of mobile devices is to manage them, using MDM (Mobile Device Management) software. This gives you back much of the control, and makes it possible for the company IT department to force encryption, force system and app updates, and even remotely wipe a device that is reported lost or stolen. There are many MDM systems available for enterprises and SMBs. Because there is a diversity of mobile devices in use today, the best solution should have support for all of the most popular mobile operating systems. Even if you currently have no users who use a particular OS, there’s a good possibility that someone will want to use a device running that OS in the future and a cross-platform MDM system will be able to accommodate that eventuality.
When we say “Bring Your Own Security,” we don’t necessarily mean that the user chooses, pays for or is in control of the security solution. What we mean is that the security goes with the device, no matter where it goes. As bringing your own device becomes the new normal, BYOS should be considered the first rule of the BYOD club.