Guest post from an Advent IM Security Consultant on a key business topic.
Bring Your Own Device (BYOD), the phrase that has raised more than one eyebrow within the security fraternity and so it should! Allowing a personally owned device to access your corporate network or store any of your sensitive data? The lack of oversight and control makes the idea highly questionable in the opinion of this author.
As I see it the one true benefit of BYOD as a business enabler surely could only be cost. As an example, allowing staff to be released from the constraints of the office environment can reduce that particular overhead somewhat, coupled with the fact that employees have already paid for their equipment, thus releasing the organisation from the associated financial responsibilities of purchasing and maintaining devices. However, the IT Security headache is more likely a migraine when you consider that as you don’t own the device, you don’t control the device and you certainly don’t control the security features of it or the applications loaded onto it. Nor can you control how that device is utilised by the individual in their personal time. With BYOD you leave your data and network open to compromise via malware or other remote means via ‘jail-broken’ devices that may have nefarious software installed such as key logger applications that have been surreptitiously downloaded.
So, we move onto Choose Your Own Device (CYOD). CYOD continues to allow the enterprise the mobile dexterity of BYOD however, it greatly reduces the security threats highlighted above. CYOD should be very culture-centric and focused to the needs and requirements of the business. Devices that are purchased can (and should) be pre-loaded with Mobile Device Management (MDM) software enabling enforced Security Updates and patch management and should also enable remote wipe and remote lock features. As the device is purchased and owned by the organisation, it can be pre-configured and hardened with all unnecessary applications disabled. Although this method will require a higher financial outlay on the purchase of equipment and providing a device management service, the long-term benefit both financial and reputational surely outweighs the initial cost.
Where is the Trend? Although the individual user may maintain that BYOD allows them to utilise just the one device that they are familiar in operating is best and CYOD removes the freedom for them to select whatever device suits them best, the benefit it offers surely outweighs the risk for the business. A savvy employer will still offer a selection of various devices that may well satisfy most users however, ultimately it should be whatever is best for the business and not the individual. The risk that is posed by BYOD is vast, with a large attack surface that should not be tolerated just to enable employees an easy life. Indeed, a sobering thought for any business should be the impending arrival of GDPR and the sizable financial levies that that particular legislation will bring means, that companies simply cannot afford to leave the risk that accompanies BYOD in place. Simply put, CYOD can offer more security and more control. This leads me to surmise that any organisation handling sensitive data will ultimately (if it hasn’t already) move to a CYOD posture.
- Posted by Ellie Hurst
- On 16th November 2016
- 0 Comments