Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:55 PM

BYOD: Filling The Holes In Your Security Policy

Allowing personal mobile devices at work can create new risks for your enterprise. Is your security policy ready?

3. Set the rules

If you experiment with BYOD, you must consider where and how to enforce the rules, says Sophos's Svajcer. Do you want to allow every type of new device on your network but curtail access to resources, or provide more extensive access to select devices that meet security standards?

Mobile device management software is a fast-growing area of interest and investment. Gartner counts more than 100 companies in the enterprise MDM market worldwide. MDM vendors include large IT services and security companies such as IBM, SAP, Sophos, and Symantec, as well as specialized firms such as AirWatch, Good Technologies, and Zenprise.

Depending on the package you go with, MDM software and services let you set policies across a range of mobile device hardware and software platforms. They enforce strong passwords and application downloading and patching, as well as detect jailbroken devices, and provide auditing and remote wiping and locking for lost and stolen devices.

Some MDM vendors are introducing data monitoring capabilities that give businesses a window into what data is moving to and from managed mobile devices. Vendors such as Zenprise also offer "geofencing," which lets IT detect when devices leave a certain geographic area and take action to secure them (such as locking or remotely wiping data on the device).

Companies also are finding alternatives to an all-or-nothing approach to BYOD that encourage productive use of mobile devices but retain a measure of control.

One such approach is enterprise mobile application stores, in which businesses provide access to company-approved mobile apps for download by employees, while using mobile security policies to prevent unapproved applications from being installed on managed devices.

Startups such as AppCentral, which has Pepsi and Anheuser-Busch as customers, provide services that let companies control and manage their employees' access to custom mobile applications. Similarly, Cisco's AppHQ platform helps companies create their own internally hosted application stores.

Branded mobile application storefronts can go a long way to easing enterprise concerns about application integrity and corporate control. In the long term, however, Sourcefire's Huger believes that the BYOD trend may come back full circle to LYDAH (leave your device at home).

Whether employees like it or not, security and management require employers to run software on employees' devices. As noted previously, that can be a sensitive issue when the employer doesn't own the device. Companies can skirt the issue by supplying employees with attractive mobile devices loaded with the necessary security and management tools.

"I've started to see exactly that," Huger says. "I have a customer who just purchased 500 iPhones for employees. They spent a lot of money to do it, but it's cheaper and more effective to control the software on the devices," he says. "In the long term, you just can't have these powerful devices unrestricted and loose on your network."

Employees may be more amenable to that approach than all the BYOD talk suggests, according to Forrester data. A Forrester Forrsights Workforce Employee Survey of 322 enterprise users from the fourth quarter of 2011 found that, while 45% of respondents would like to have their choice of mobile phone or smartphone, only 23% would be willing to contribute to the cost of the device in exchange for choice. Fully 32% of those surveyed say they "don't care" about choosing their own work mobile phone or smartphone.

4. Confront the issues

Finally, while companies should take seriously the risks of BYOD, they shouldn't overcorrect for the perceived loss of control that employee-owned devices create.

"You want to have sensible, but not restrictive policies," Mahaffey says. "The most important thing is to empower people to be productive."

Don't take the "slumlord approach to network security," says Johannes Ullrich of the SANS Institute in an article he wrote for the Forbes website. Like landlords for low-rent apartments, Ullrich says, many network administrators remove or disable features that could potentially cause security problems, rather than incur risk by letting employees benefit from those features. By overreacting to perceived risk, those administrators create rules-bound IT environments that can crush workers' souls--especially younger, digital natives. Like stripped-down apartment houses, those restrictive, punitive IT environments drive away creative employees and encourage those that remain to circumvent security features, rather than live with them.

BYOD is a great example of embracing reality rather than fighting it. Employees are going to use their own devices anyway, so it's better to support them, Ullrich says. Rather than crack down on non-company-owned devices, he says, "it may be more secure to set up a dedicated network for these devices that's controlled and managed versus having employees work around these issues."

Education may, in the end, be the simplest, cheapest, and most effective tool that companies can use to reduce the risks employee-owned devices pose. Talking to employees about mobile threats and the importance of using passwords to secure physical access to devices, as well as encryption to protect the data that's stored on them, is critical, especially in the absence of corporate-wide policies and tools to enforce them.

Rather than banishing employee-owned devices, smart organizations will embrace them and learn how to address the security shortcomings. "Don't freak out and stop people from using their phone," says Mahaffey. "Confront the issues and deal with them." That approach puts you in control of the devices on your network, ensures that employees are well educated about potential problems, and makes it less likely they'll sneak devices on the network or otherwise violate policies.

3 of 4
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/5/2012 | 7:56:43 PM
re: BYOD: Filling The Holes In Your Security Policy
82% of those respondents say they use smartphones to read or view documents, presentations, and spreadsheets for work - this is the reality, but also it is a large security risk. The article makes important points about BYOD policy, and it is criticle to have a good policy. Also important is education of that policy. We changed our BYOD to have all doctors use a HIPAA compliant text messaging app called TIgertext to send patient info, but the adoption rate was very low, until we brought every docotr in, explained the policy, what we have it, and how to use the app. Now was have about a 97% use rate.
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
7 Ways VPNs Can Turn from Ally to Threat
Curtis Franklin Jr., Senior Editor at Dark Reading,  9/21/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-09-21
An issue was discovered in GNOME file-roller before 3.29.91. It allows a single ./../ path traversal via a filename contained in a TAR archive, possibly overwriting a file during extraction.
PUBLISHED: 2019-09-21
The Traveloka application 3.14.0 for Android exports com.traveloka.android.activity.common.WebViewActivity, leading to file disclosure and XSS.
PUBLISHED: 2019-09-21
An issue was discovered in idreamsoft iCMS V7.0. admincp.php?app=members&do=del allows CSRF.
PUBLISHED: 2019-09-21
admin/urlrule/add.html in YzmCMS 5.3 allows CSRF with a resultant denial of service by adding a superseding route.
PUBLISHED: 2019-09-21
Gila CMS before 1.11.1 allows admin/fm/?f=../ directory traversal, leading to Local File Inclusion.