BYOD Brings Benefits, but Don't Ignore the Risks: ISF
Email
Print
The Information Security Forum (ISF) is a 24-year-old nonprofit research organization whose Fortune 500–type member companies make clear the topics they're interested in and participate in research surveys. While historically reluctant to share its findings with nonmembers, ISF is beginning to loosen up. On Sept. 17, it made publically available a new report on managing the risks that come along with the benefits of the bring-your-own-device (BYOD) trend. "It's difficult to avoid mixing home and corporate data, and people will always look for ways to skirt controls," Steve Durbin, ISF's global vice president of information security, told eWEEK during a July meeting. "These devices were never designed to be truly secure, except for BlackBerry. The apps are easy to embed malware into, and they've become more attractive to attack now that they've moved into the enterprise space." How to support users while maintaining an organization's integrity? "The device is a red herring," said Durbin, touching on where the report goes. "Focus on the information itself and on how much really needs to be tightly controlled. ... If you start with what's most important and ensure how that's being accessed ... you're in a stronger position to make a business case," he advised.
-
BYOD Brings Benefits, but Don't Ignore the Risks: ISF
By Michelle Maisto
-
BYOD: Key Business Issues
Whether an individual or the organization owns a device is a detail with important consequences. Still, many organizations haven't addressed the matter yet, said ISF in its new report, "A Practical and Effective Approach to BYOD."
-
Risk Areas and the Device Lifecycle
Considerations should include day-to-day management and device end-of-life (will the user sell it?); where the user takes the device and who has access to it (is it used in a bar? do the kids get to play with it?); and what level of respect is it shown (is it treated less carefully than a user-owned device? is it used to access inappropriate content?).
-
Devices Are a Red Herring
Focusing on securing information, not devices, as a guiding principle for considering risk within a BYOD program "can bring a great deal of clarity to decision making," says the ISF report. Focus on usability and scalability, not device-specific measures.
-
Some Risk Is Necessary
Some risk will have to be involved. Consider the need for, and costs of, training employees and educating them, says the ISF. Also, "clarify the balance to be struck between trust-based policy controls and technical controls."
-
BYOD Isn't Right for Everyone
Consider which groups will be using which sensitive information, advises the ISF. While some risks will need to be accepted, identify which are "outside the organization's appetite" and "have them signed off and recorded in the risk register."
-
Ownership and Control
Organizations may find it inappropriate to add particular controls to a device they don't own—which will lead it toward policy controls, which are generally less effective. In return for implementing a BYOD program, an organization may just have to accept greater risk in some areas, says the ISF.
-
Legal Rights and an Employee-Owned Device
Organizations need to consider what's within their rights to monitor, or even to record. Also, is personal information protected along with business content, and if not, have employees been made aware of this?
-
What's Worthwhile?
An organization should ask itself whether training and awareness alone are appropriate to the risks taken. Further, are there ways to enforce an acceptable-use policy? And, are the controls in place encroaching on the benefits of using a personal device for business?
-
Leverage Existing Knowledge
Organizations that have deployed laptops, and worked with contractors and other parties that have brought in their own laptops, shouldn't ignore the lessons learned from those experiences. Consider using a "laptop test," asking, "Do we implement this control for laptops?" states the ISF report.
-
Clarify Your Position
Clarifying where an organization stands can include undertaking a "high-level risk assessment that can form the basis for future deployments," states the report. Another way is to "compile and deploy an overall BYOD policy and acceptable-use policy."
-
Prepare: BYOD Opens Doors for Criminals
"A well-organized attack ... can exploit BYOD devices by using them as a stepping-stone of an attack against an organization," says ISF CEO Michael de Crespigny. "BYOD initiatives present considerable challenges, and today's executive must embrace these technologies or risk being sidelined by those more agile."
Apple Replaces Coca-Cola as World's Top Brand: 10 Ways It Did It 
GNOME 3.10 Gets an Overhaul: Top 10 New Features 
3D Printing: If You Can Imagine It, You Can Make It 
Kindle Fire HDX Might Work in the Enterprise: 10 Reasons Why 
Security Stats Show Mobile Malware, XSS as Top Concerns 
OpenWorld 2013: Oracle’s Cup Surely Runneth Over 
MakerBot Digitizer 3D Scanner Turbocharges the Printing Process 
Surface 2 Won't Improve Microsoft's Tablet Fortunes: 10 Reasons Why 
Apple's Latest iMacs Are a Worthy Desktop Buy: 10 Reasons Why 
Microsoft Surface 2 Tablets: Faster With Longer Battery Life 
0 Comments for "BYOD Brings Benefits, but Don't Ignore the Risks: ISF"