Concerned about BYOD Security?
Date: Jan 21, 2013
Employees expect to use personal smartphones and mobile devices at work. To ensure network security is not compromised, these devices need to be remotely managed – over their lifetime. Organisations need to implement BYOD governance policies such as: all devices must be configured with passwords, specific types of applications should be prohibited from being installed and sensitive data must be encrypted.
Here are five of the most important BYOD security considerations recommended by industry experts:
1. Mobile Usage Policy
The Ponemon Institute 2012 Global Study on Mobility Risks showed that only a little over a third of companies in the U.S. have developed any kind of acceptable mobile device usage policy.
Policies and proceedures should be created to address mobile device security risks and outline acceptable usage behavior by employees.
Key policies should include; how remote wipe procedures are to take place, how devices connect to the network, what the strength of encryption algorithms will be used, how users authenticate and what kind of devices users can connect to company resources. And don’t forget employees will require training.
2. Lost Device
Mobile Device Management (MDM) should be used to to lock (and) wipe devices. Organisations also need to educate employees about what they put at risk when they lose devices and give them a way to report lost or stolen devices so those lock and wipe functions can be activated.
With positive confirmation of a remote wipe, an organisation may be able to avoid having to report loss of sensitive data to regulatory bodies.
3. App Safety
Mobile device users are facing an increasingly hostile malware environment, particularly those using Android devices. Mobile devices connecting to company resources should have mobile security software installed and have their encryption features activated. Anti-phishing training is crucial to heading off future mobile attacks, but perhaps most important is policing how and where employees download their apps.
Employees should only use app marketplaces hosted by well-known, legitimate vendors for downloading and installing apps. Mobile malware authors often use unregulated, third-party app stores.
4. Data Security
Organisations need to undertake a formal assessment of which employees need access to what data through their devices. You can then decide what security measures will be needed to protect that data, taking into consideration the potential security or compliance ramifications if that data is compromised.
If you that have highly sensitive information that may be accessed on mobile devices owned by the employee, you need to look for ways to secure and protect those applications independent of the device itself, such that those applications have strong password controls, the necessary data encryption applied and are able to wiped from the device when the employee leaves the company, without wiping their personal data.
5. Secure Connections
How a device connects to corporate assets is also a critical consideration. Organisations allowing mobile access from mobile devices should consider minimising that risk by enforcing access to data through virtualization and enforcing VPN access to these resources with strong authentication.
Additional segmentation within the network may also be necessary to accommodate riskier mobile connections.