As employees continue to bring their personal IT devices (like smartphones and tablets) to the workplace, organisations of all shapes and sizes are playing catch-up with their policies. Most of these profess to encourage flexibility and freedom of devices at work, but in many cases the policies don’t fit the promises.
With security being the key issue at stake, businesses have to strike a balance between control and freedom in how they approach the BYOD phenomenon. Organisational fears around the security of mobile devices are well-justified: IBM’s 2011 X-Force Trend and Risk Report found that publicly-released exploits for mobile devices are up 19 per cent compared to last year. Mobile OS vulnerabilities have almost doubled in the past two years, although we can expect these to plateau somewhat this year.
Of particular concern is the fact that many exploits are taking advantage of the BYOD trend, targeting enterprise information or infrastructure assets on the basis that personal devices will “infiltrate” the workplace’s security systems. As such, BYOD poses several security risks to organisations – just like any other use of ICT in the workplace. Rather than prohibition, companies need to see what strategies they can adopt to deal with these threats most efficiently.
A two-speed response
So far, the trend amongst many organisations is to adopt a two-speed response. On the one hand, the company recognises the proven benefits of workplace flexibility and productivity stemming from the BYOD trend. On the other hand, ICT policy still revolves largely around restricting the use and access of personal devices, applying “one size fits all” security and compatibility strategies without regard to the high level of IT individualisation which underpins the BYOD phenomenon.
This contradiction of terms is understandable: companies want to ensure productive worker habits, but are afraid of compromising their control over the integrity of the organisation’s data and operations. It’s also detrimental: more employees are resisting efforts to police and limit the use of their devices, finding loopholes and exploits even as IT departments seek to plug them. This sort of vicious cycle is clearly unproductive and potentially disastrous for all involved. It can even open up the very avenues of intrusion which the company sought to shut down in the first place, as their employees move to circumvent IT policies perceived to be hampering productivity and stifling collaboration.
The simplest way to resolve this contradiction is to respond to what employees need. People largely adopt a BYOD approach so that they can work more happily and productively. Security policies should aim to ensure that they can do so in a secure fashion, seeking to support rather than actively control how employees go about doing their job.
This holistic mentality has technical implications as well: IT departments should seek to offer security support to employee devices whether through frequent patching, updates or ensuring compatibility with key organisational security features like VPN. CIOs and IT managers will still have to find the balance between flexibility and security: providing support for all mobile OS platforms may not be feasible, for example, but initial support for the main platforms like iOS and Android should be an obvious first step.
IT policy-makers also need to recognise that the devices in question are used for both working and personal purposes. Organisational control over employee devices makes sense from a purely secure standpoint, but employees are understandably concerned by the potential for IT staff to access, lock and wipe their personal data in the process. The 2011 X-Force report found that as a result of this resistance, more and more organisations are pursuing “secure isolation” solutions which segregate enterprise applications and data from the employee’s personal data and apps. While many of these solutions are still evolving, they look set to play an important role in defining how the organisation-employee relationship plays out in the mobile device space.
Finally, the upsurge in BYOD means security in the cloud will play an increasingly critical role in overall IT security. Services which run on mobile devices are largely underpinned by cloud integration, which extends through all aspects of the mobile OS paradigm from the downloading of apps to the remote storage of personal data and configurations. CIOs and IT managers will have to consider whether they want to buy a cloud-based solution or deploy straight from the cloud, a choice which subsequently impacts how the organisation approaches security considerations such as endpoint safeguards and application scanning. Although private cloud deployment generally commands more trust amongst users, IT staff should make the decision between in-house and third-party based on their organisational requirements and employee considerations. In all instances, policy-makers need to ensure that the chosen cloud deployment incorporates a rigorous approach to both preventing and responding to security intrusions and breaches.
The stakes with BYOD security are particularly high due to their pervasiveness and their embodiment of both corporate and personal functions. As the number and seriousness of exploits grows in tandem with mobile device use and functionality, IT professionals need to bring employee devices into the security ecosystem rather than restrict or outlaw them entirely. It may not be as straightforward as managing BYO in the hospitality industry, but IT professionals already have many of the models and systems needed to make BYOD both empowering and secure – they just need to keep employees onside as they do so.
Jason Burn is business unit executive at IBM Security Systems Division.