The bring-your-own-device (BYOD) business model is here to stay, much to the chagrin of security professionals. The arguments for allowing employees to work with company data on their personal devices and bring those devices into the workplace are almost unassailable: increased productivity, flexible working hours, and a more agile business.

While some companies may still limit workers to a single, or small selection, of devices and workstations, many firms are allowing employees to work from whatever device suits them. In many cases, that's a whole host of devices: Network security provider Bradford Networks, for example, has many higher education institutions among its customers, and some students use as many as 14 different devices to connect to the Internet.

"If companies think they are going to stop this, they really are not," says Frank Andrus, chief technology officer for the firm.

Yet companies should not allow employee devices onto the network or to store business data without some sort of security infrastructure in place to mitigate the vulnerabilities and compromises the devices may bring with them, Andrus says. In a presentation at the Interop conference in New York, he will stress that the human element is, initially at least, the most important aspect in implementing security controls on devices. Almost all employees are leery of giving corporate IT security any sort of control that could jeopardize their own data, he says.

"End users are really becoming part of the security model," he says. "The attacker is using them as a launching point into the network."

To eliminate the bring-your-own-vulnerabilities problem, mobile-security expert recommend three steps.

1. Survey the landscape
Companies should start by assessing the degree to which corporate assets are used by mobile workers.

Often a company does not have a lot of control over its IT infrastructure, and one employee who figures out how to connect to the e-mail or a collaboration service will educate others, until the business has a rogue IT problem, says Chris Isbrecht, director of product management for Fiberlink, a mobile-security provider.

[Despite naysayers, many security experts believe perimeter defenses have relevance when deployed as a part of defense-in-depth. See Is The Perimeter Really Dead?.]

"In a lot of cases, we find that people have no visibility or understand how many people and how many devices are actually connecting," he says. "The first step is education and visibility."

Companies should use the asset discovery to come up with a list of devices and what servers and services those devices are using. After that, the firm can decide which approach best works to locking down their infrastructure and data, he says.

2. Win over the worker
Any strategy for implementing protection for employee-owned devices must also win over the workers. Because the device belongs to the user, the company will not be able to manage it in the same way that the firm could manage a corporate device. In some countries, the company may be extremely limited in what actions they are able to take: A blacklist could be leaking information on the apps that the worker uses, and spam filtering could give the company insight into the worker's personal life.

For any security product or service, protecting both the business data and the user's privacy is a tricky line to walk, says Nicko van Someren, chief technology officer for Good Technology, a mobile-security provider.

"It's a two-way street," he says. "You have to be able to protect the employer's data against accidental loss or disclosure by the user, but you also have to protect the user against the employer in terms of [the fact that] this is not the employer's device."

3. Protect the right "D"
Finally, companies have to focus on what really matters: the data, not the device. Convincing workers to take better precautions and secure their devices is good, but the company should focus on protecting its data, says Good's van Someren. Many mobile device management products are focused on the wrong "D," he says.

"It is all about the data and not the device," van Someren says. "The businesses should not care about the device."

Because the worker's habits on the device focus on using apps, a data-driven security approach also has to focus on the apps as well, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.