Ensuring BYOD Security Within the Enterprise

by James P. Gardner on August 20, 2013



Corporations are facing one of the most significant security challenges in today’s workplace: the bring your own device (or BYOD) phenomenon. With most employees more mobile than ever, in theory productivity is increased exponentially:  email, calendars, and apps are made available to employees’ devices, eliminating the need to be tied to an office. Responding to an email on a Saturday while playing with your kids at the park hardly seems like work. More and more employees, however, choose to utilize their own personal devices for both work and recreation. Hence, the BYOD phenomenon is born, spawning a whole new set of enterprise security problems.

There are multitudes of reasons employees prefer not to use the standard, corporate-issued mobile device. Managing multiple apps, calendars, and email accounts between multiple devices is hardly convenient for today’s tech-savvy mobile employee. Certainly using fewer devices to manage personal and professional duties is a bit easier, relying on one mobile device for all their needs. Personal preference and brand loyalty are huge, as some providers have almost cult followings for their particular device. There’s no way a hard-core, dedicated Apple user is going to be forced to use a BlackBerry, so he suggests using his personal iPhone for work as well.

Because of this shift, corporate governance for strategic mobile device management is more crucial than ever. Employees who use their own devices for work purposes unwittingly jeopardize sensitive corporate information every day.  A lack of security can put the entire organization at risk if an employee loses a device, or if it gets stolen, or even loaned to a friend.  Without enforceable password-protected screen lock on devices, a company is vulnerable to a multitude of security problems.  An effective and strictly enforced BYOD policy will help mitigate the security risks this type of usage evokes.  While BYOD programs have certainly enhanced mobility’s value to an organization, it has without question complicated the issue of security and effective data management.

Another concern of BYOD security is the issue of IT support for employee-owned devices.  If an employee is using his or her own iPhone for work and hardware problems arises, to whom does the employee turn for support?  Individual productivity can come to a screeching halt if an employee has an issue that he or she cannot resolve independently.  If it is a network or connectivity issue, will there be corporate IT support?  IT would also need to be involved when setting up company email on their devices as to construct the proper parameters to ensure secure implementation.  What happens in the case of damaged hardware or broken equipment?  Will IT support those types of problems, or is the employee required to resolve it? These are inevitable questions that must be carefully assessed and addressed within an effective mobile device management policy.

Personal Use
Most personal devices are peppered with apps used for daily life, both personally and professionally, and that list is growing. This is a complex problem that could easily impede productivity and further jeopardize security if not factored into a MDM strategy. If employees use the standard corporate device, are they free to install whatever apps they want, like their BYOD co-workers can?  More than likely, the answer is no, with an administrator user ID and password lock preventing all unauthorized downloads and installations. This scenario could possibly lead to some questionable habits, as one employee is able to play Angry Birds or manage his television DVR settings and the employee owing the standard, corporate-issued device cannot. In addition, the unlimited ability to download whatever app they want opens the BYOD employee up to viruses, malware, and other issues that can jeopardize the company’s data security. A good BYOD policy should outline what apps will be allowed due to security or legal risks, even on an employee-owned device.

And by the way, who actually owns the apps, programs, and information on the device? The question of actual ownership becomes complicated if the device is lost or stolen and corporate IT needs to wipe the device clean – also wiping the employee’s personal information.  Additionally, if an employee leaves or is terminated, who owns the data, and how is it wiped off the device?  If a BYOD policy is adopted, it must be clearly defined that the employee agrees to the consequences if they jeopardize data security in any way.

The argument over BYOD’s contribution to productivity will continue, but what isn’t debatable is that strictly enforced mobile device management policies are invaluable in today’s blended mobile environment.  An effective BYOD policy should address security, clearly define allowable apps, and outline appropriate support protocols to enable the highest level of employee productivity, whether they bring their own device or not.

By: Jim Gardner