Editor’s Note: Welcome to our weekly feature, Analyst Angle. We’ve collected a group of the industry’s leading analysts to give their outlook on the hot topics in the wireless industry.
Today’s most popular mobile devices were never designed for business purposes and unfortunately, they don’t offer the same level of security that has been built in to traditional desktop and laptop computers. As more corporate data is “allowed” on personal devices for employee use, enterprises are now rethinking bring-your-own-device, seeing it as an area of potential risk, rather than an opportunity to achieve a higher level of workplace productivity.
More and more smartphones and tablets are entering the market every day, and the lines have quickly become blurred between business and personal usage of these mobile devices – the essential communications tool for employees. Left unmanaged and exposed, consumer devices in the workplace are vulnerable to a wide-range of information security threats. Threats include exploits by malware targeted at the device’s operating system or apps, unauthorized connections, exploitation of software vulnerabilities by malware that exposes data or causes unexpected behavior and compromise or irrecoverable loss of corporate data.
These risks could result in devastating consequences for businesses, including both financial and reputational damage.
BYOD: What do I need to know?
As the mobile devices in the workplace trend increases, we continue to see information security risks being exploited. These risks stem from both internal and external threats including mismanagement of the device itself, external manipulation of software vulnerabilities and the deployment of poorly tested, unreliable business applications.
Before you implement a process for allowing mobile devices in the workplace, here are the five things every business leader should know about BYOD:
1. Employee-owned devices are here to stay; a BYOD program is essential in most organizations
Nearly 90% of the workforce use personal devices at work and expect to connect them to their organizations’ systems. At the same time, organizations want to benefit from BYOD by using it to attract and retain talent. If the BYOD risks are too high for you now, stay abreast of developments. If the risks are acceptable, ensure your BYOD program is in place and well structured.
2. Ignore managing BYOD risk at your peril
When business imperatives push BYOD programs into place quickly, risk management is often neglected or rushed, leaving organizations with both unknown and unnecessary risks. Risk management must sit at the heart of any BYOD program.
3. If you want BYOD, be prepared to compromise
Privacy regulations may be breached by everyday monitoring. An organization may no longer be able to seize devices for forensics (regardless of what the acceptable use policy says) or may have little or no control when the user makes an impulse decision to upgrade their device. Expect to face the compromises required to deal with outcomes such as these. If you’re not prepared to make these compromises, then BYOD may not be for you.
4. BYOD forces a greater emphasis on trust: this doesn’t come free
It’s not feasible to mitigate all the risks associated with BYOD; some may be so high they need to be avoided, whereas others may need to be accepted. But, accepting risks means that an organization must trust its employees to do the right thing – which comes at a cost: policies, training and awareness aren’t free. And some of those activities may need to move beyond the workplace and into employees’ homes.
5. Be information-centric: it offers agility and adaptability
An information-centric perspective is key to managing BYOD risk; it keeps the focus where it should be rather than on the technical details. The proliferation of new devices and apps means that organizing a BYOD risk management plan around a single technical solution can be restrictive. A focus on information is more likely to result in an agile and adaptable program. Such a plan should have the proper technical policies to monitor controls on the device as well a solution for remediation in the event of a cyber-incident, loss, hack etc. that compromise corporate information.
Risk is imminent – time is critical
Time is critical and businesses need to formulate a response to the growing trend of personal devices in the workplace with a heightened sense of urgency. Organizations need to ensure employees are aware of what constitutes good working practices for mobile devices by having an acceptable use policy in place which their employees must sign and is enforceable through disciplinary and/or financial sanctions. With the proper policies in place, users are free to combine work and personal tasks and data, work remotely and have a back-up plan should the devices be lost or stolen.
Businesses today can’t afford to stand still and allow mobile device adoption to run its own course as it will create new attack vectors and potential vulnerabilities in corporate networks. They need to stay one step ahead on the latest trends, mobile devices and related security risks. By putting in place the right working practices, usage policies and management tools, organizations of all sizes can benefit from the advantages that these devices can bring to the workplace while minimizing exposure to would-be security risks.
As the Global VP of the Information Security Forum, Steve Durbin’s main areas of focus include the emerging security threat landscape, cyber security, BYOD, outsourced cloud security, third-party management and social media across both the corporate and personal environments. Durbin has considerable experience working in the technology and telecoms markets and was previously SVP at Gartner. As global head of Gartner’s consultancy business he developed a range of strategic marketing, business and IT solutions for international investment and entrepreneurial markets. He has served as an executive on the boards of public companies in the United Kingdom and Asia in both the technology consultancy services and software applications development sectors. Durbin has been involved with mergers and acquisitions of fast-growth companies across Europe and the United States, and has also advised a number of NASDAQ and NYSE listed global technology companies. He is currently chairman of the Digiworld Institute senior executive forum in the United Kingdom, a think tank comprised of Telecoms, Media and IT leaders and regulators.
Founded in 1989, the Information Security Forum is an independent, not-for-profit association of leading organizations from around the world. It is dedicated to investigating, clarifying and resolving key issues in cyber, information security and risk management and developing best practice methodologies, processes and solutions that meet the business needs of its members.
