BYOD: build your own defences

It's not easy to swim against the bring-your-own-device (BYOD) tide and while the move to mobility is making enterprises more productive, it has also raised the security stakes.

With laptops, tablets and smartphones becoming our ‘go-to' devices in the workplace keeping the corporate network and corporate data safe is not an easy task for IT security professionals.

One of the fundamental problems faced by them when securing their network and digital assets is establishing ‘Information Superiority'—leveraging superior intelligence to identify what needs to be protected and the threats to consider when structuring defenses. This issue becomes particularly challenging in the mobile enterprise.

Identifying what needs to be protected

Employee-owned mobile devices that are accessing corporate resources are outside of the control of the corporate IT function. As a result it can be difficult to identify even basic environmental data for these devices such as the number and type of devices being used, as well as operating systems and applications. An example of this lack of visibility was highlighted in a recent study conducted by IDC.

According to the study, 40 per cent of IT decision makers said that workers access corporate information from employee-owned devices, but in stark contrast more than 80 per cent of employees indicate they access corporate networks this way.  This is a major disconnect between perception and reality and a gap that needs to be closed swiftly.

Identifying the threats

The fact is that mobile devices introduce security risk when used to access company resources; they easily connect with third-party cloud services and computers whose security posture is potentially unknown and outside of the enterprise's control. In addition, mobile malware is growing rapidly which further increases risk. Research indicates malware targeting Android-based devices has increased by nearly 500 per cent since last summer. Given the lack of even basic visibility as discussed above, most IT security teams certainly don't have the capability to identify potential threats from these devices.

In order to gain the ‘Information Superiority' advantage in a mobile world, IT security professionals must be able to see everything in their environment, understand whether it's at risk, and then protect it.

Here are a few steps to take to help maintain control of your network.

• Identify the technologies that provide visibility into everything on your network – devices, operating systems, applications, users, network behaviours, files as well as threats and vulnerabilities. With this baseline of information you can track mobile device usage and applications and identify potential security policy violations.                                                                                                                                           
• Leverage technologies that help you apply security intelligence to data so you can better understand risk. From there you can evaluate mobile applications to determine if they are malware and even identify vulnerabilities and attacks targeting mobile assets.                                                                              
• Identify agile technologies that allow you adapt quickly and take action to protect systems in rapidly changing mobile environments. On the corporate side, create and enforce policies that regulate what data can be transmitted to BYOD users. For employee-owned devices, it may be useful to lock down your organisation's network or computers (laptops, desktops, servers) with capabilities like application control. Consider approved applications that can be used by employees to remotely access their desktop computers back in the office from their tablet while travelling. While you may not be able to limit the installation of an application on the device, you can prevent it from running on corporate-owned computers.     

The BYOD movement has only just begun and one look at the latest smart device adoption rates would suggest that the tide will only get stronger. Research indicates that mobile phone sales worldwide rose to 1.5 billion units in 2011 and smartphones are increasingly becoming the norm. In addition, a recent Gartner report shows tablet sales on a pace to reach over 300 million units worldwide in 2015 and IDC predicts laptop sales to reach nearly 400 million units worldwide for the same period.

While the productivity, efficiency and convenience benefits of the trend are significant, we must open our eyes to the security gaps the mobile enterprise presents and embrace a combination of security tools and techniques to bridge these gaps. Only then can we tip the scales of in the favour of IT teams and make the mobile enterprise that little bit more secure.

Chris Wood is the ANZ regional director of network security provider Sourcefire