Bring Your Own Device (BYOD) is not a new concept anymore, we hear this phrase day in and day out. Recently, the adoption of BYOD has grown significantly. According to a recent study by leading information technology research and advisory firm Gartner Inc., 40 percent of companies world-wide are actively encouraging BYOD. Companies have to be prepared for the pros and cons of BYOD and what it means to day to day business.
While BYOD has been around for a while, more companies are noticing the issues surrounding it because of recent data breaches and the growing number of employees working on their own devices. Gartner predicts by 2017, “half of employers will require employees to supply their own device for work purposes.” This includes desktops, laptops, tablets and smartphones.
While BYOD has changed an industry’s economics with lower capital expenditure for hardware, it also poses many challenges, primarily privacy and security issues for the company and individual users.
With the increased use of BYOD, there is also an increase in data exposure or data breaches as device may or may not have applied to the company domain and security policies as company owned devices would be. With the growing BYOD use, company IT staff need to think of effective ways to set up additional controls to meet organizational demands, as BYOD will need dynamic capacity management to support company owned as well as BYODs in the longer run.
Companies with BYOD practices need to address information security issues early in adoption. It is important for a company to align its policies and processes to effectively manage critical aspects of information security, such as confidentiality, integrity and availability (CIA) and risks associated with those areas so that the company’s data and security are not compromised.
Gartner also predicts that by 2018, the mobile workforce will doubled or tripled in size, hence creating challenges related to employee-owned devices that need to be aligned with a company’s confidentiality and privacy requirements. This will certainly affect IT support departments which will be tasked with balancing the support for company-owned devices support and employee-owned devices.
Gartner reports three-fourths of companies have cited security as the biggest concern related to BYOD programs. In addition, 23 percent of U.S.-based employees have experienced a compromise on their personal device in the past year, such as PC-based malware and hardware failures and 5 percent of smartphone and tablet users have reported compromised credentials, device failure and lost or stolen devices.
Recently the International Standards Organization (ISO) adopted 27001 (2013), an information security standard, has enhanced information security policy framework by focusing on having better controls for information security and risk management. This calls for revisiting existing policies related to information security, risk management and overall controls needed to support information security management systems for an organization.
An effective way to limit data exposure is to install data wiping software for every device that has been designated as BYOD. The following are guidelines companies should use when selecting data wiping software to limit BYOD data exposure:
- Conduct market research on data wiping software;
- Ensure the data can be termed as any file type (Microsoft Word, PowerPoint, text or PDF) supported by the device operating system, for example;
- Search for software that wipe files, folders, drive, external hard disk, secure digital card (SD Card) and all types of files supported by the device operating system;
- Determine whether the data wiping software has a provision for wiping original data securely with no trace and no possible recovery;
- Ensure the data wiping software has the ability to produce log of data removed securely and be scheduled when needed;
- Confirm the data wiping software has the capability to wipe data remotely for lost/stolen devices; and
- Determine if the data wipe software is appropriate to support typical BYOD devices, including desktops, laptops, smartphones and tablets.
With data wipe software in place, a system administrators can follow these guidelines:
- Review BYOD devices to ensure they meet compliance requirements;
- Frequently wipe organizational data/folders from BYOD device drive, SD Cards or external hard disks so that data will not reside on BYOD device;
- Set up auto wipe of recycle bins or regular temporary files or cache folders;
- Review data wipe log at frequently; and
- Implement policy that a remote data wipe will be performed when BYOD devices are lost/stolen, there is a termination of employment or security breaches.
In addition to the data wiping software, there are some best practices companies can implement that apply to BYOD. Along with implementing BYOD policies, companies should have an acceptable use policy in place to determine the types of devices can be used. Also companies should restrict the software and app installations on these devices and accessing blocked websites. IT support should assess a device’s compatibility to ensure it is running on a company approved operating system and that it has provisioning and standard applications’ configuration.
Some other BYOD best practices include:
- Disabling photo or video recording facility per business needs;
- Disabling USB devices per business needs;
- Requiring employees to use company IT support instead of calling device manufacture;
- Regularly reviewing the devices at nearest office location;
- Requiring employees to report lost or stolen BYOD devices immediately to the company;
- Restricting employee software or app installation except with approval from IT support;
- Developing training programs to ensure BYOD security compliance and improve awareness; and
- Reviewing employee NDA with special provision of confidentiality and privacy related to BYOD devices.
As BYOD matures, companies are learning how to successfully integrate them into their infrastructure without any security incidences. With the potential of having sensitive company data vulnerable to hackers or thieves, companies should take every precaution to prevent breaches. BYOD device should have data wipe software installed and registered for remote data wipe. Although these efforts do not solve all concerns, these small measures will help companies to apply some control to the BYOD environment.
About The Author
Ramesh Devare is COO at IndiSoft LLC. Columbia, Md.-based IndiSoft is a global company that develops collaborative technology solutions for the financial services industry. Through various portals, IndiSoft’s RxOffice platform (patent pending) enables disparate parties to communicate and transact online in real-time. The transparent workflow technology improves the efficiency of business processes and offers audit, compliance and quality control capabilities to accelerate decision making and support business excellence.