In a recent ZDNet article Bill Ho, President of Biscom, addresses some of the current issues enterprises are facing with the Bring Your Own Device (BYOD) phenomenon. Some of the issues that Ho points out which continue to crop up as mobile end devices and technology evolve are the dual-use nature of mobile devices, increased regulations and synchronization applications. Despite these issues, security concerns and headaches that BYOD presents Ho correctly states that this trend is not going anywhere.
The best part of this article is that after pointing out BYOD flaws, Ho does not leave you hanging. He provides a “10 point list” to help you structure a policy to avoid some of these issues and increase security. The list reads as follows:
Review your current security policies for web applications (CRM, email, portals), VPN, and remote access. Most of these will apply to mobile devices as well.
Determine which devices you are willing to support. – Not all devices will meet the security requirements of your organization. Also, physically inspect each device and make sure it hasn’t been jailbroken or rooted.
Set expectations clearly. IT may have to radically change people’s current mindset. Yes, security adds additional layers to wade through, but what havoc would a security breach cause?
Make a personal identification number (PIN) mandatory.
Enforce encryption of data at rest – any apps that download and store data on the device should protect that data. If a PIN or passcode is cracked, you want to make sure that data is still protected.
Determine which types of apps are off-limits. With hundreds of thousands of apps available, which will you permit? Are there any specific applications or class of applications you want to keep off the device?
Provide training to employees to make sure they understand how to correctly use their applications, make the most of their mobile capabilities, and watch for suspicious activity. Once you’ve embraced BYOD, promote it.
As mobile devices become conduits for information to flow, look for apps that include auditability, reporting, and centralized management. Many current apps will not meet this requirement.
Consider mobile device management software that can provide secure client applications like email and web browsers, over the air device application distribution, configuration, monitoring, and remote wipe capability. Note that some providers require applications to be re-written specifically to support their platform, so you may find some of your applications will not run in the solution you pick.