BYOD Brings Benefits, but Don't Ignore the Risks: ISF

By Michelle Maisto  |  Posted 2013-09-17 Print this article Print

The Information Security Forum (ISF) is a 24-year-old nonprofit research organization whose Fortune 500–type member companies make clear the topics they're interested in and participate in research surveys. While historically reluctant to share its findings with nonmembers, ISF is beginning to loosen up. On Sept. 17, it made publically available a new report on managing the risks that come along with the benefits of the bring-your-own-device (BYOD) trend. "It's difficult to avoid mixing home and corporate data, and people will always look for ways to skirt controls," Steve Durbin, ISF's global vice president of information security, told eWEEK during a July meeting. "These devices were never designed to be truly secure, except for BlackBerry. The apps are easy to embed malware into, and they've become more attractive to attack now that they've moved into the enterprise space." How to support users while maintaining an organization's integrity? "The device is a red herring," said Durbin, touching on where the report goes. "Focus on the information itself and on how much really needs to be tightly controlled. ... If you start with what's most important and ensure how that's being accessed ... you're in a stronger position to make a business case," he advised.

  • BYOD Brings Benefits, but Don't Ignore the Risks: ISF

    By Michelle Maisto
    0-BYOD Brings Benefits, but Don't Ignore the Risks: ISF
  • BYOD: Key Business Issues

    Whether an individual or the organization owns a device is a detail with important consequences. Still, many organizations haven't addressed the matter yet, said ISF in its new report, "A Practical and Effective Approach to BYOD."
    1-BYOD: Key Business Issues
  • Risk Areas and the Device Lifecycle

    Considerations should include day-to-day management and device end-of-life (will the user sell it?); where the user takes the device and who has access to it (is it used in a bar? do the kids get to play with it?); and what level of respect is it shown (is it treated less carefully than a user-owned device? is it used to access inappropriate content?).
    2-Risk Areas and the Device Lifecycle
  • Devices Are a Red Herring

    Focusing on securing information, not devices, as a guiding principle for considering risk within a BYOD program "can bring a great deal of clarity to decision making," says the ISF report. Focus on usability and scalability, not device-specific measures.
    3-Devices Are a Red Herring
  • Some Risk Is Necessary

    Some risk will have to be involved. Consider the need for, and costs of, training employees and educating them, says the ISF. Also, "clarify the balance to be struck between trust-based policy controls and technical controls."
    4-Some Risk Is Necessary
  • BYOD Isn't Right for Everyone

    Consider which groups will be using which sensitive information, advises the ISF. While some risks will need to be accepted, identify which are "outside the organization's appetite" and "have them signed off and recorded in the risk register."
    5-BYOD Isn't Right for Everyone
  • Ownership and Control

    Organizations may find it inappropriate to add particular controls to a device they don't own—which will lead it toward policy controls, which are generally less effective. In return for implementing a BYOD program, an organization may just have to accept greater risk in some areas, says the ISF.
    6-Ownership and Control
  • Legal Rights and an Employee-Owned Device

    Organizations need to consider what's within their rights to monitor, or even to record. Also, is personal information protected along with business content, and if not, have employees been made aware of this?
    7-Legal Rights and an Employee-Owned Device
  • What's Worthwhile?

    An organization should ask itself whether training and awareness alone are appropriate to the risks taken. Further, are there ways to enforce an acceptable-use policy? And, are the controls in place encroaching on the benefits of using a personal device for business?
    8-What's Worthwhile?
  • Leverage Existing Knowledge

    Organizations that have deployed laptops, and worked with contractors and other parties that have brought in their own laptops, shouldn't ignore the lessons learned from those experiences. Consider using a "laptop test," asking, "Do we implement this control for laptops?" states the ISF report.
    9-Leverage Existing Knowledge
  • Clarify Your Position

    Clarifying where an organization stands can include undertaking a "high-level risk assessment that can form the basis for future deployments," states the report. Another way is to "compile and deploy an overall BYOD policy and acceptable-use policy."
    10-Clarify Your Position
  • Prepare: BYOD Opens Doors for Criminals

    "A well-organized attack ... can exploit BYOD devices by using them as a stepping-stone of an attack against an organization," says ISF CEO Michael de Crespigny. "BYOD initiatives present considerable challenges, and today's executive must embrace these technologies or risk being sidelined by those more agile."
    11-Prepare: BYOD Opens Doors for Criminals

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Thanks for your registration, follow us on our social networks to keep up-to-date
Rocket Fuel