|AITP Security Council Discusses the Challenges of BYOD|
|Written by Brant Pirkle and John E. Kosar, III|
Last week, the AITP Security Panel presented a firsthand view of member organizations’ efforts to confront their most pressing risk and security issues. Foremost on the agenda was an evaluation of how companies are handling “IT consumerization” trends including BYOD (bring your own device). When employees are allowed to use their own smartphones, tablets, and other mobile devices to connect to company networks, a host of new security, legal, and device management challenges must first be addressed. Tony UcedaVelez, founder of VerSprite, LLC, a global security and risk management consulting firm, encouraged panel members to discuss their strategies and policies for addressing these issues.
By 2015, according to a recently published report by the industry research group Gartner, Inc., “mobile application development projects targeting smartphones and tablets will outnumber native PC projects by a ratio of 4-to-1.” Further, by 2016, “at least 50% of enterprise email users are expected to rely primarily on a browser, tablet or mobile client instead of a desktop client.” This trend extends to organizations of all sizes and industries, including U.S. government agencies. The 2012 Federal Mobility Report: Security Edition, revealed that 62% of federal agencies already allow employees to use their own personal devices at work, and 44% of federal employees who use a mobile device in their daily work tasks are using their own devices.
Many factors are driving BYOD demand. “On the one hand,” said Everett Washington, security solutions expert for Norfolk Southern, “before the theory was: we can issue what you need. In reality, people are going out and buying their smartphones and iPads and they want to use them - they want to integrate them with their current work flow.” Employees want “the latest and greatest” devices for both personal and work use and BYOD can remove the inconvenience of having multiple devices. From the employer’s perspective, reducing the cost of procuring, maintaining, upgrading, and supporting devices is desirable. Some organizations, recognizing BYOD’s potential for improving productivity, are providing stipends or reimbursement to employees for purchases and upgrades of their own mobile devices.
“At what cost?” asked Ucedavalez. Is it worth the increased security and risk exposure? Security panelists agreed that, although the Mobile Device Management (MDM) software industry as a whole remains somewhat immature, an effective remote device system must be in place before any of this can be allowed. Melanie Morris, Senior Manager of Risk and Information Security for Cox Enterprises, remained optimistic: “It really comes down to the maturity of the information security discipline within your organization. If you’re good at security, you have ways of dealing with these risks. Every new technology presents unique threats and risks,” she said.
Many IT Groups are currently evaluating their existing security platforms to determine how they may be applied to employee owned devices. Others have implemented or are evaluating MDM vendors that offer functionality beyond the foundation of Blackberry Enterprise Server and Microsoft Exchange Server. Among the MDM features deemed most important to security experts is the ability to remotely wipe and block remote devices should they be lost, stolen, or otherwise compromised. Other features such as notice of infractions, white listing and black listing of apps, SMS location based services and tracking are also considered imperative.
Haddon Bennett discussed Equifax’s use of an enterprise-wide MDM system provided by Good Technology, Inc. His organization has determined that from a legal perspective, separating corporate from personal data is imperative. “Good’s solution allows Equifax to containerize corporate email and other data,” says Bennett. “We can remotely wipe the corporate data periodically, while leaving the user’s personal data intact,” he said. Other BYOD users may not be so lucky: most are required to sign agreements allowing their employers to erase all data on their devices when a security threat is detected. Additionally, most state and federal government employees’ devices are subject to various open records acts whereby personal data may be made part of the public record.
Whether or not their organizations have yet fully embraced IT consumerization, all of the security panel members agreed that the trend holds great promise for better productivity and collaboration. New cloud based and in-house vendor solutions exist today that help organizations achieve effective, secure mobile device management. As many CIO’s have emphasized at recent AITP-hosted presentations, establishing clear policies and effective mobile security solutions should to be the first step in addressing any aspect of consumer technology in the workplace.