In No longer is it about IT dictating the policies and prescriptions of the user and enabling them to use technology. Now, it is the users who drive any trend related to IT, with IT heads having to amend their policies based on user dictate. BYOD (bring your own device) is clearly an indication of this trend, as individuals are focused on driving innovation rather than enterprises.
Shantanu Ghosh, VP & MD, India Product Operations, Symantec, reiterates that for big businesses, this change can be hard to deal with from using standard-issue laptops, smartphones and operating-systems often dictated by the preferences of the IT department, todays employees are demanding that they be allowed to use devices of their choice. But if youve ever tried to transfer data between devices that use different OSes, you can imagine the scale that enterprise IT is dealing with, with thousands of devices on multiple formats and platforms entering the network every day.
In fact, according to Symantecs most recent State of
Ashish Thapar, Head-Global Consulting & Integration Services, Verizon Solutions, advocates that CISOs have a very clear policy to identify the device as baseline security gets critical.
Rendezvous with Risks in BYOD
Chief Security Officer, Cognizant, Satish Dash sees the risk of non-compliance to organisational and client security requirements, increase in vulnerabilities and data leakage and privacy concerns.
According to
Mahapatra argues CISOs need to look at the BYOD policy from different angles such as Data Loss Prevention, Authentication system, internal intrusion prevention systems, internal firewalls, securing
However, the key risks that Sunil Varkey, Chief Information Security Officer, Wipro Technologies, finds, is security governance around Data Loss and Data Leakage along with software licensing compliance, segregation of data etc..
Intended or ignorant leakage of corporate sensitive data from BYOD device remains the key challenge for any CISO, says Varkey.
It is also observed that security risks also vary with each enterprises focus area. For instance, Amit Pradhan, Chief Information Security Officer, Cipla, finds three key risks associated with the BYOD trend.
a.Data transfer from corporate environment to personal environment
b.Data loss with employees leaving the organisation
c.Unauthorised access to corporate data by unauthorised user of the user device (friend, colleague, etc.)
The accompanying challenges are, as Pradhan observed: I believe the major challenge a CISO faces today is managing the cost for managing security on personal devices used in the BYOD culture. With a variety of operating systems like Android, iOS, Blackberry, Windows, etc., significant investment goes into buying a security solutions to control corporate data on these devices. Additionally, with uncertainty of when these devices connect to the corporate network, a CISO faces the challenges of ensuring that these are patched properly and reviewed, he adds.
A challenging but important task for companies who utilise BYOD is to develop a policy that defines exactly what sensitive company information needs to be protected and which employees should have access to this information, and then to educate all employees, says Govind Rammurthy, MD & CEO, eScan.
Bring your own device (BYOD) to work may make employees happy but it often translates into the IT department handling the headache of safeguarding sensitive data, supporting multiple devices and making things click together. Personal devices such as the Tablet, Smartphone, laptop, etc. are generally harder to secure than organisation-issued devices, as using these devices can put the organisations information and systems at a high risk of compromise. In most organisations, BYOD cannot be used as it is not secured easily and effectively.
Also, as mobile devices undergo rapid transformation and new devices flood the market at regular intervals, CIOs will have to keep pace with changes in devices and their adoption, constantly changing and managing the permitted list of devices and security policies around them to better answer BYOD. In many enterprises today, mobile devices have become the weakest link in the security strategy.
Need to Counter: What are the Best Tools and Practices?
As the security landscape gets more complex than ever before, CIOs need to leverage sufficient security solutions to safeguard the information at each and every level.
Atul Khatavkar, VP, IT Governance, Risk and Compliance,AGCNetworks, strongly recommends best practices around enterprise Policy/Guidelines/Handbooks that clearly address BYOD issues raised above--End Point Security Tools, Data privacy management tool and BYOD management tools.
Khatavkar further points out that the stronger adoption of BYOD is now leading towards BYOD for social networking on the go. Therefore, it is important to set clear guidelines on defamation, data protection and privacy. Additionally, encouraging direct forms of communication will help in restricting access to data loss. There is a strong need to educate the staff on organisational IT policies.
It is also important to keep data back-up strategies in place while being compliant with security certifications such ISO 27001, SSAE 16, SAS 70, SOC 2,
While mobile computing is being promoted to be able to have real time data and information, organisations must ensure that devices are hardened and updated to handle malware, says Khatavkar. In parallel, an organisation can implement policies like allowing different kinds of employees to access varying levels of information from their device, risk based user profiling, limited extent of information accessible to users, developing security awareness for BYOD Users, encouraging employees to report violation or loss immediately, so that organisations can take appropriate action to build a robust environment
Das recommends having a well-defined BYOD policy with compulsory device enrollment in place, security awareness of end users, ensuring malware protection to be enabled on all devices, ensuring having mobile device management (MDM) tools which are standardised across devices and device level encryption.
Sunil Varkey points that a combination of MDM solutions with proper containerisation with a mature process on defining, monitoring and controlling what data and application can be accessed by BYOD along with strong user awareness on the criticality of any data loss or leakage is the right ideal solution. BYOD adoption should be in a phased manner related to application, user base and data moving to BYOD and a strong policy should defined and published so that expectations from BYOD will be clear to all constituents, says Varkey.
Ghosh has suggested five key areas that every company should consider as they establish their mobile strategies to ensure high productivity without increasing their vulnerability:
Ensure secure access to apps:This means maintaining a strong focus on identify management.Organisations must focus on developing strong password policies for their employees mobile device use.
Protect your apps and data:With many organisations considering providing mobile access to enterprise content, it places a lot of sensitive data on mobile devices. Direct control of specific, critical apps and data (as opposed to device-based control) is a very effective approach to apply the desired layers of protection exactly where they are needed, without touching the remainder of the device.
Put in place effective device management:Devices that access business assets and connect to company networks must be managed and secured according to applicable company policies and industry regulations. Every company should establish appropriate mobile policies, and those should be applied to all managed devices, just as policies and configurations are applied to corporate PCs and laptops. Solutions towards this include mobile device management applications, such as remote locking and wiping of stolen or lost devices.
Implement comprehensive threat protection:The fact is that mobile devices are rapidly becoming the new preferred target for bad guys. Different platforms have different risk profiles, and it is important to understand where vulnerabilities exist and to take appropriate action to secure business assets. Good threat protection should protect from external attacks, rogue apps, unsafe browsing, theft, and even poor battery use.
Supply secure file sharing:Although access, storage, and sharing of files are not uniquely mobile challenges, multiple device ownership and the need to collaborate make the cloud a driver for productivity, allowing for simple distribution and synchronising of information across devices. Businesses should have full administrative control over distribution of, and access to, business documents on any network, especially in the cloud.
e)Employee education: Educating employees about the importance of placing stronger passwords, and using reliable security software for their devices and keeping the software updated is a must. Put in place processes that would authenticate employees and their respective devices. This would avoid multiple devices from being used by unauthorised people.
Add new comment