By David J. Lineman
One of the major shifts hitting businesses today is the “consumerization” of information technology. In short, the rapid adoption of IT by consumers outside of work is creating a demand for organizations to support these same technologies for employees. Perhaps the two biggest categories are social networking (Facebook, YouTube, LinkedIn) and the use of personally owned devices, including smartphones, tablets and portable storage. While these devices are great for employees, they pose huge security risks for organizations.
The Importance of a Written Security Policy
By any measure, more personal devices are ending up in corporate networks. Recent surveys by Forrester Research indicate 60 percent of organizations are adopting some form of BYOD (bring your own device) approach. Organizations can either resist the trend or try to better manage the risks of this approach. Whether the policy is “no devices allowed” or a more hybrid approach, it is critical that the approach be supported by written policy.
In 2012 HP sponsored a study of mobile device adoption and security concerns. One of the key findings of the study was: Few technical solutions are available today that address all of the concerns of mobile devices. For example, until recently, the primary mobile platform for business was Blackberry. This platform had robust tools for managing devices within the enterprise. As Blackberry has fallen into a distant third place in the market behind Apple and Android devices, organizations are faced with a difficult set of options to manage. As a result, more than 50 percent of the organizations in the study use Acceptable Use Policies and user training as their primary way to control the devices. In other words, when faced with a lack of tools, the “people” aspect of security becomes a key element.
Before considering writing policies, it helps to define what “Bring Your Own Device” means. In fact, this common tagline is misleading. More specifically, the term “Personally Owned Devices” can refer to any device that is owned by the employee but used to process corporate information. This is an important distinction – organizations can issue mobile devices to employees or allow employees to purchase their own. In general, a more secure approach is for the organization to purchase and manage the devices, but in many cases, this may not be feasible. The more the user has control over their own device, the greater the risk to the organization. The key point is that a written security policy must clearly define the scope of the devices the policy aims to protect.
The Essential Elements
With the critical role of BYOD security policies understood, here are some essential topic areas that should be covered in any sound security policy. Not surprisingly, these represent the topics of greatest risk to the use of mobile devices by employees and contractors.
1) Defining Device Scope – The first essential element of any policy is to define the scope of the policy. A written BYOD policy should describe exactly what types of devices and platforms are covered by the policy. Does the organization support only one platform, or will it allow multiple platforms with different management capabilities?
2) Defining User Scope – The security policy should also define who is allowed to use personal devices in the enterprise. Does everyone in the organization need to bring their own device? Most likely the answer is “no.” A key way to reduce risk is to define a certain set of users that are approved to use their personal devices.
3) Defining Information Scope – What types of data are users allowed to manage on their personally owned devices? This is an often overlooked but key step. For example, sales people may have some personal information about customers that is not particularly sensitive. But a nurse working in the field may have sensitive patient data covered by federal regulations.
4) User Authorization – Once it’s been determined who and what devices are going to be allowed, it is critical to perform some form of authorization step. In other words, management takes an explicit step to approve specific users and specific devices. This is key for monitoring unauthorized usage.
5) Device Authorization – No device should be allowed to connect to a network without proper authorization. Today, there are a number of robust technical tools that can be used to validate both the types of devices and their security capabilities before allowing a connection. All personally owned devices should require authorization before they can connect.
6) Device Configuration and Application Management – Another key element is to control which applications can be used on personal devices. Applications present one of the key opportunities for attack via mobile devices. There are many cases of “free” applications that actually contain malware or spyware that can eavesdrop on users. Can users access Facebook or personal email accounts via their devices? In general, the organization should define a list of acceptable applications called a “whitelist.” Ideally, the organization should be able to limit access to only these applications via the mobile devices. But for some platforms, this is a challenging task. Some organizations have created their own private “app stores” and require users to download applications only from that source.
7) Device Tracking and Management – It is important to keep a record of both the individuals who are using personal devices and the devices they are using. This “asset inventory” is key for understanding the scope of risk and for making platform decisions in the future.
8) Physical Security – By far the largest risks to mobile devices is their portability. Each year, millions of phones and laptops are lost or stolen. It is critical any security policy for mobile devices (personally or corporate-owned) have policies regarding physical protection. Common examples include locking these devices in hidden locations when not in use and not checking them in baggage on commercial flights.
9) User Training – Over 90 percent of all data breaches are eventually traced to some human error. For organizations serious about information security, user training is a key element. In areas where technology is changing rapidly, properly trained users are the best defense against losing data.
10) Device Decommission and Destruction – What happens when a person leaves the company or no longer needs the device for business? A common practice in existing policies is to have the user (employee or contractor) return all equipment owned by the company. But what if the user owns the device? In this case, a more sensible approach is to require all applications or sensitive company data be removed from the device. In practice, this can be very difficult, as the technology for “sanitizing” works mostly for an entire device, and not just certain data. It is reasonable to require that users never resell these devices, but instead turn them in to the company for proper disposal.
By all measures, the drive to “consumerize” information technology is likely to increase. As with all information technology, there will be limits to just how far technical tools can go to secure personal devices. To truly reduce risk, organizations must consider the human side of the security equation, including a robust information security policy backed by user education and awareness.
David Lineman is President of Information Shield, based in Houston, providing a library of over 2000 pre-written information security policies (including BYOD) and consulting to help organizations reduce risk and comply with regulations. Visit www.informationshield.com for more information or to request a sample policy.