BYOD: Can enterprise mitigate the risks?

What can businesses do to mitigate the risks of employees using their own devices as the trend for IT consumerisation gathers momentum?

This article can also be found in the Premium Editorial Download: IT in Europe: Why organizations are turning to hybrid data centre fabrics with Fibre Channel

Consumerisation is probably the most disruptive trend for IT this decade, according to Gartner, and security professionals faced with the related challenges are unlikely to disagree, but can business mitigate the risks of employees using their own consumer devices for work and play?

The risks of BYOD are almost universally acknowledged, as is the fact that it is increasing all the time.  A global threat report for July indicates substantial cyber criminal activity, spurred on by the rise in popularity of Android-based mobile apps.

According to the report by GFI Software, the OpFake family of Trojans has become a major threat, with the Trojan usually masquerading as well-known applications such as Opera Mini and the new mobile version of Mozilla’s Firefox in order to dupe users into downloading and installing it.

Once installed, OpFake usually enslaves the handset, using it to dial premium rate phone numbers that generate revenue for the cyber criminals that unleashed it, the report said.

“Mobile malware is a relatively new frontier for cyber criminals, but that does not mean that their attacks are any less sophisticated or dangerous,” said Christopher Boyd, senior threat researcher at GFI Software.

“Many users are not aware of the fact that cyber criminals have created malware specifically for Android devices, and are rushing to download apps before ensuring that they are legitimate,” he said.

While there is little doubt that the mobile threat is kicking up into a higher gear, there is also growing recognition that security suppliers are starting to provide the mobile device management (MDM) tools enterprises need to cope.

Until fairly recently, most security professionals have felt the risk of bring-your-own-device (BYOD) programmes were too great without an MDM system that enables control over corporate data on employee-owned consumer devices, and that existing MDM systems were inadequate. Finally, that appears to be changing.  

In August, In Practice Systems (INPS), which deploys and supports clinical software systems in the UK, implemented the MobileIron platform to support a bring-your-own-device (BYOD) programme.

According to INPS, which is part of the global healthcare software group Cegedim, the platform provides visibility and control of its fleet of corporate devices.

In a bid to move beyond the traditional corporate-owned BlackBerry, INPS wanted to offer its employees a way of using their personal devices for work, including devices running Apple's iOS, Google's Android and Microsoft's  Windows Phone.

“We’re a company that seeks to let staff work the way they want to work. It’s hard to say ‘no’ to employees asking to use their own devices - especially if that employee happens to be an executive," said Angelo Chysanthou, head of information systems at INPS.  

"From an IT perspective, I’ve learned over the years that if I don’t provide a solution, that employee will find their own way onto the network. MobileIron offered us a way around this," he said.

INPS began searching for an MDM platform that would enable it to manage corporate and personal devices. The company turned to its technology partner, Appurity, who recommended MobileIron.

INPS wanted to maintain the same control over employee-owned devices as corporate-owned BlackBerry devices. Due to the sensitivity of the company’s operations, INPS particularly wanted the ability to selectively wipe data from lost or stolen devices remotely.

Chrysanthou said: “We quickly decided MobileIron would be the best option for setting and enforcing policies around whatever smartphone or tablet our employees happen to bring into the workplace.”

“When you launch BYOD for the first time, there’s an important cultural shift that has to take place. You have to ensure you have communicated both the benefits and the restrictions of the programme," said Chrysanthou.

INPS now has the capability to enforce policies and restrictions across virtually any end-client coming onto the corporate network.

“My IS department isn’t here to make the business follow rules – if one employee wants to bring in their iPad to enable them to be more productive then it’s our job to figure out how to make that work. MobileIron gives us the flexibility and security to do exactly that,” said Chrysanthou.

INPS is now planning to deploy MobileIron’s enterprise app storefront in the longer term for the deployment and secure sharing of apps across the business.

The outlook for the future is good as MDM systems continue to grow and competition in the market increases.

Despite BlackBerry losing ground to rivals, most of the security community acknowledges its superior position in terms of mobile security.

In an attempt to capitalise on that security reputation and expertise, RIM's latest version of its Mobile Fusion MDM platform is designed to give enterprises BlackBerry-style security control over mobile devices running iOS and Android, as well as its new BlackBerry10 operating system due out in 2013 after several delays.

RIM also appears to have learned its lesson from losing its market dominance. "User experience is key to success," Patrick Michaelis, senior product manager for Europe at BlackBerry security told a recent regional interest group meeting of the European security association EEMA in Slough, UK.

With BlackBerry10, however, RIM is hoping to win back some of the ground it has lost to iOS and Android. A key element will be its technology, which enables the creation of corporate and personal space on mobile devices.

"Security is taken care of at the operating system level, and while personal and corporate data are separate, applications like e-mail and calendar can be accessed through a single user interface," said Michaelis.

This gives users a personal experience on a single device while enterprise has full control of its data – an approach RIM hopes will prove to be industry-leading.

Enterprises clearly do have access to the tools they need to mitigate the security risks of BYOD, and they are set to get even better.

Perhaps now the bigger challenge will be getting those organisations that are still in denial about BYOD to recognise that there are a significant number of personal smartphones in their IT environment that are bypassing every control, and that this is an issue they can no longer ignore.

Read more on Business continuity planning