“BYOD security requires a delicate balance between business concerns about security and personal privacy,” he told Computer Weekly.
“BYOD should not mean letting any device access the corporate network, but the goal should be to protect corporate data while ensuring the privacy of personal data on personal devices,” said Gupta.
“The risks that need to be managed include malware threats from compromised devices, unintended disclosure of sensitive information, data loss, compliance risks, and productivity loss from time-wasting apps,” he said.
But in attempting to do that, many organisations fall into the common trap of applying the same set of security policies for BYOD as they do for corporate mobile devices.
When a company issues a corporate device to an employee, it can standardise configurations to secure the device and rigidly control how it is used.
“But because of the diversity of BYOD devices and their use for personal purposes, it becomes necessary to be more flexible while taking steps to secure the device and minimise the risks,” said Gupta.
He cautions against taking a one-size-fits-all approach.
“Instead, organisations should tailor a BYOD policy to the organisation’s security needs and the employee culture, and then implement technology solutions that support those policies,” he said.
“We are seeing that different industry types have different security requirements and employee cultures differ on whether or not they prefer separate devices for personal use and corporate use,” he said.
But Gupta believes there are several key guildelines that should be followed. He recommends that organisations:
- Set minimum operating system (OS) version thresholds for users to bring in their own devices for work as a baseline requirement to protect corporate data and apps running on them. “Certain versions of Android, for example, are not secure enough for the enterprise because they lack encryption and other security capabilities,” said Gupta.
- Quarantine compromised devices and make sure that the OS and apps are updated with current security patches before accessing corporate networks.
- Enforce standard configuration settings for enterprise access, including the use of an encrypted network and data access only through a VPN (virtual private network) and secure (HTTPS) sessions.
- Ensure that enterprise apps share data only in secure containers and wipe the container upon exiting the enterprise app, to prevent data leak or disclosure.
- Ensure the company has the capability to lock devices remotely and wipe selectively content, apps and passwords on lost or stolen devices.
Another common failing, according to Gupta is that companies tend to ignore BYOD impact on enterprise infrastructure and related costs.
“The enterprise may not be paying for the BYOD device or data usage on the device, but the device is still consuming Wi-Fi data bandwidth and ultimately connections on the company network,” he said.
To ensure employees are not using the corporate network to download movies and videos for personal use, Gupta said enterprises can implement geo-fencing limitations on certain data-hogging apps when the device is within work location boundaries.
“Such apps can be blocked at work while allowing employees to use the apps as they want, outside the work location boundaries,” he said.
The next common pitfall to avoid, said Gupta, is publishing private enterprise apps to public apps stores such as the Apple App Store and Google Play.
More on BYOD security
- The ICO issues BYOD warning after breach
- BYOD: data protection and information security issues
- Government approves BYOD for public sector staff
- BYOD – who carries the can?
- CW500: Best practice in BYOD
- CW500: BYOD Mistakes and Opportunities
- Enterprises struggle with security challenge of BYOD, study shows
“But publishing apps to a company’s own private enterprise app store enables the delivery of enterprise apps to employees and partners, without having to disclose anything to the app store providers or go through cumbersome approval processes,” he said.
Gupta also says companies should avoid rigid polices in blacklisting and blocking apps. “In a BYOD environment, geo-fencing restrictions on apps may be appropriate, managing what apps can be run and what apps cannot be run within the corporate boundaries,” he said.
For example, blocking applications such as Facebook at the work location, but allowing access to the app outside of the work location can help increase productivity while providing flexibility and promoting employee satisfaction.
“Define time and location windows with access restrictions, including what apps can be run and what apps cannot be run within work location boundaries,” said Gupta.
“Then use geo-fencing to monitor and enforce location-based access and usage policies. Also, make sure that the GPS and location tracking features persist within geo-fence boundaries even if a user turns GPS off,” he said.
Finally, Gupta advises that organisations avoid a full wipe of a BYOD device when a selective wipe is more appropriate.
When an employee with a corporate device leaves the company, the admin can remotely wipe the device, but it would be a mistake to do that with a BYOD device without employee permission, he said.
While such permission should be obtained beforehand during the BYOD signup process, Gupta said a better approach would be to have the capability to wipe things selectively, erasing only the enterprise apps and data, while leaving the personal information intact.
Gupta said many enterprises now encourage employees to bring their own devices to work for the promotion of a flexible work environment and related productivity boost.
But, he said, organisations must take the necessary security precautions to ensure that the business benefits from the BYOD trend.