The consumerization of IT and the increasing popularity of bring-your-own-device initiatives is changing the way businesses work, but there are several security issues organizations need to keep in mind when implementing a BYOD program, according to a study by IT research firm Gartner.
Seventy percent of respondents in a recent survey by the firm said that they have or are planning to have BYOD policies within the next 12 months to allow employees to use personal mobile devices to connect to enterprise applications. A third of all organizations surveyed said they currently have BYOD policies in place for mobile devices, such as smartphones and tablets.
Gartner identified three main security issues organizations should be aware of when implementing a BYOD program, including employee access to unsecure sites that could introduce malware into the company network, data leakage and privacy concerns.
“Shifting from an enterprise-owned mobile device fleet to having employees bringing their own devices has a major impact on the way of thinking and acting about mobile security,” Gartner principal research analyst Dionisio Zumerle said. “Policies and tools initially put in place to deal with mobile devices offering consumer-grade security must be revised to deal with these devices being under the ultimate control of a private user, rather than the organization.”
When enterprise data is allowed on employee-owned devices, the risk of leakage increases for the enterprise, not just because of the rise of mobile malware, but also because legitimate but unsupported apps may inadvertently create security risks for the organization and, most importantly, because of device loss, the report warned.
Gartner recommends enterprises use application whitelisting, blacklisting and containerization and other forms of mobile device management (MDM) to limit their exposure to safeguard and enforce enterprise policy on Internet traffic. In addition, organizations should require enhanced password controls and set lock timeout period enforcements and controls to lock the device after a password retry limit, as well as data encryption platforms and remote lock and wipe capabilities.
“Nevertheless, excessively limiting the types of allowed devices eliminates the benefits of BYOD for users. There should be no compromise of security for the sake of device variety, but where it is possible to manage and secure a new device model, it should be done,” the report noted. “The policies that are enforced will depend on the risk appetite of the organization and the sensitivity of data allowed to reside on the device.”
The study also highlighted the complex legal issues surrounding security standards when it comes to protecting personal information stored on user-owned devices. In particular, the report notes the importance of a “selective wipe” function that would affect only corporate data stored on the device.
“Time is of the essence when performing this task, and asking the user for permission after the compromise, when a remote wipe is considered necessary, will be impacted by message exchange delays that can be critical,” the report said. “It is therefore advisable to obtain the explicit, written consent of users to delete their data in case of compromises, or the loss or theft of devices, at the time of the user's initiation to the BYOD program.”