BYOD: Securing the risk to access the cost benefits

Bring-your-own-device schemes offer businesses the opportunity to cut the costs and improve user experiences, but benefits can be dwarfed by the risks.

Bring-your-own-device schemes offer businesses the opportunity to cut the cost of end user computing and improve the user experience. But security products, services and policies must be properly implemented or these benefits can be dwarfed by the risks.

Worldwide, 38% of companies expect to stop providing devices to workers by 2017, according to a global survey of CIOs by the research firm Gartner.

Although smartphones are ubiquitous in India, businesses have not yet fully embraced bring your own device (BYOD). According to a recent survey from ISACA, 46% of the companies in India have blocked the use of mobile devices at work. But there are many companies embracing the concept. 

Ashish Mishra, chief information security officer at Tesco's Hindustan Service Centre, said rising costs and reducing margins makes BYOD an opportunity to save costs and maximize productivity by allowing its employees to work on their personal devices.

"This not only allows employees to work on their preferred devices at their own costs, but also avoids their carrying multiple devices. However, this concept blurs the boundaries between corporate and personal devices," said Mishra.

"Therefore, while formulating the BYOD policy, sufficient care should be taken to obtain the employee agreement in advance to follow and allow company IT policy on their personal devices, to notify IT and security department in case of loss of device and to allow remote wiping in case of loss, theft or separation from organization," he added.

Kishor Rao managing director of Check Properties, said the benefits of BYOD go beyond cost savings. "For a small-size company like us BYOD is not only lucrative from a commercial aspect but also improves employee’s morale and productivity," he said.

BYOD increases productivity by more than 60% according to the recent "Workplace of the Future" report from Citrix. In addition, smartphones and other devices can help keep things going during unplanned network outages. Organizations can include these devices as part of their IT/disaster recovery strategy.

"Mobile devices play an important part of our business continuity strategy since employees always have their mobile phone with them and they can access the corporate network through the mobile phone and keep working," said Satish M, a consultant at Pune-based Achievers Court LTD.

While cost cutting is the main driver for BYOD, data security concerns are the main inhibitors to businesses taking full advantage of the new computing model. Companies are attempting to address this through malware analysis and pen testing on mobile devices connected to the corporate network, according to independent consultant Shekhar M.

How to use BYOD safely

Here are some tips to help you protect your assets when implementing BYOD.

Have a well-drafted policy for BYOD: A clear policy is instrumental in ensuring compliance and a consistent security practice in the organization. The policy must cover legal liability privacy clauses, encryption and compliance issues. It should clearly state what information the company will collect, the responsibility of the users and what actions the company can take for non-compliance.

Consider mobile device management applications: There are many mobile device management (MDM) applications on the market. These applications provide sandboxed environments for corporate data that essentially isolate it from personal data and further encrypt the corporate data in rest and in motion.  Most MDM applications also have features that act as a shield from viruses, malware attacks and advance network attacks.

Encrypt data and secure devices: Mobile phones and tablets are more susceptible to theft than traditional devices. As a result, security managers have concerns about the data loss due to theft. It is important to encrypt the data or secure the device with a PIN or two-factor authentication. A mechanism for remotely wiping data from devices is also essential to prevent data loss.  Educating employees and communicating rules can also mitigate the risk to a certain extent.

Manage user access: With BYOD, processes for staff on-boarding and off-boarding take on more importance. Companies must have a strict enrollment policy mandating users to register their devices prior to connecting to the corporate network.  Organizations can build an authentication and logging mechanism into the network to add an extra layer of security. Many industries in India have high attrition of employees, which is why it is important to have an efficient process to wipe data when an employee leaves.

Address privacy issues: Addressing privacy issues is complicated for multinational companies. There is a thin line between corporate and personal data. Businesses want to ensure their data remains secure, without affecting their employees' privacy. Companies must obtain user consent prior to monitoring or tracking personal devices.

Train staff on using personal devices at work: It’s critical to educate staff about BYOD use, and trust and awareness is vital. Computer-based training and existing training manuals should be revaluated to include BYOD. Employees should be made aware of their responsibility toward securing devices that hold company data.

Next Steps

Frost Museum of Science uses DR planning to thwart inclement weather

Read more on Data protection, backup and archiving