Bring Your Own Device Security Strategies – Part 2
Before implementing Bring Your Own Device solution an enterprise must gain clarity in the following four areas:
The first step an enterprise must take is to become clear about what it wants to achieve by implementing BYOD. In order to establish its objectives, the following questions have to be addressed:
- Is BYOD intended to be an interim or long-term solution?
Long-term solutions require a different approach such as regular reviews. If the decision is made that BYOD should serve as a short-term solution, a definite end date must be set in place before implementation and needs to be rigidly adhered to.
- What business functions need to be achieved with BYOD?
What and how BYOD is used will have a significant impact on the enterprise’s risk profile. The more functionality and access area granted under the BYOD scheme, the higher the risk for the enterprise.
BYOD should not be used for example for remote system management.
- What types of devices will BYOD include?
The first level assessment will define the categories of devices to be used, such as PCs, laptops, tablets, smartphones, or a combination thereof.
In the next step consider what platforms will / can be supported – Windows, macOS, iOS, Android.
A helpful task at this stage might be a survey amongst the employees to check what kind of devices they are currently owning and using.
- Will this be the only flexible working solution implemented and where will BYOD devices be used?
Will there be a mix of BYOD and Corporately Owned devices used for flexible working?
Will BYOD devices only be used for remote working, or will they also be brought into office spaces for flexible working and connected to trusted networks?
BYOD might not be suitable for all users such as executive-level managers for example who handle sensitive data on a regular basis. Such a situation could be handled by either offering a limited subset of data and services accessed through BYOD or excluding them from the potential BYOD solution altogether for example.
Once identified as being part of BYOD, users should be involved throughout the implementation process. One very good reason for this approach is the fact that the priorities and desires of users in an organisation are by nature likely to differ.
The device owners are likely to be more concerned about the usability (a smooth user experience) and privacy of their personal data whereas the enterprise will be naturally more concerned about the security and integrity of its data, services, and corporate infrastructure, whilst maintaining compliance with legal and contractual obligations.
BYOD poses a greater security risk to the organisation as it has less control and visibility of a user’s personal device. As a result, some aspects of corporate data and resources will have to be excluded from the BYOD scheme.
For example, users that have privileged or administrative access to corporate systems requiring Privileged Access Workstations (PAW’s) should not have these levels of access on a BYOD device.
Risks of BYOD can include:
- The easier user-initiated deliberate loss of data (copying enterprise data to the personal environment)
- Higher potential accidental data loss
- Malicious exfiltration of data
- Less trust in a BYOD device at the point of enrolment / first use
- Employees having access to more resources and services than required
- Higher likelihood of unsupported or out-of-data services
- Additional exposure of devices to threats due to being used in a broader personal context (for example sharing device or password with others)
- Users are less willing to report security incidents (for fear of intrusion into personal data)
- Malicious exploitation of devices because of weak security configuration
- Malicious exploitation of devices remains undetected due to a lack of monitoring
- Increased risk of device theft, loss, or breakage
- Use of unsecured networks and public locations
- Infected devices
- External access to internal resources
Although of the heightened risk, BYOD is still a more secure solution than indirectly promoting the use of shadow IT.
Exploring the alternatives
After establishing the objectives, users’ needs and evaluating the risk associated with BYOD and enterprise should investigate the alternatives.
Alternatives to BYOD could include:
COBC – Corporately Owned, Business Only
COPE – Corporately Owned, Personally Enabled
CYOD – Choose Your Own Device
POCM – Personally Owned, Corporately Managed (full device management is handed over to the enterprise).
Once this has been done it can be decided whether BYOD is the best viable option to pursue.
In next week’s blog we will look at developing the policy for BYOD.