In a recent survey by Gartner, 70 percent of respondents have said that they have or are planning to have BYOD (bring your own device) policies in the next 12 months to allow employees to use personal mobile devices to connect to enterprise applications.
On the other hand, 33 percent of all organizations surveyed have said that they currently have BYOD policies in place for mobile devices such as smartphones and tablets.
Gartner says while enterprises are gradually shifting towards BYOD policies, this shift has a major impact on the way of thinking and acting about mobile security.
“Policies and tools initially put in place to deal with mobile devices offering consumer-grade security must be revised to deal with these devices being under the ultimate control of a private user, rather than the organization,” says Dionisio Zumerle, principal research analyst at Gartner.
The technology research firm believes that in terms of moving to a BYOD policy, organizations have to overcome three major security hurdles:
1. The right of users to leverage the capabilities of their personal devices conflicts with enterprise mobile security policies and increases the risk of data leakage and the exploiting of vulnerabilities.
Outside the enterprise's premises, employees may define their own usage policy for personal devices. The users can, therefore, install apps and visit URLs of their choice, whereas enterprises can limit applications and Web access on enterprise-owned devices.
The users can also decide the level of protection for their personally owned devices. Therefore, when enterprise data is allowed on these devices, the risk of data leakage increases for the enterprises, not just because of the rise of mobile malware, but also because legitimate but unsupported apps that may inadvertently create security risks for the organization. Device loss can be yet another major issue in this regard.
According to Gartner, mobile device management (MDM) software can be a way around. Enterprises should consider using application whitelisting, blacklisting and containerization, as well as setting up an enterprise app store, or app catalog, for apps that are supported.
2. User’s freedom of choice of device and the proliferation of devices with inadequate security make it difficult to properly secure certain devices as well as keep track of vulnerabilities and updates.
Allowing the users, rather than the IT department, to select operating systems (OS) and versions of the mobile devices opens the door to devices that are inadequate from the security standpoint. An essential security baseline should require enhanced password controls, lock timeout period enforcement, lock device after password retry limit, data encryption and remote lock or wipe.
Apart from this, network access control policies should be used – for example to deny access to enterprise resources such as email and apps from devices that cannot support the security baseline.
“Nevertheless, excessively limiting the types of allowed devices eliminates the benefits of BYOD for users. There should be no compromise of security for the sake of device variety, but where it is possible to manage and secure a new device model, it should be done,” says the Gartner report.
3. The user's ownership of the device and data raise privacy concerns and stand in the way of taking corrective action for the compromised devices.
Many people object to organizations manipulating data on their personal devices without their approval. Therefore, while shifting from enterprise to user-owned devices, "remote wipe," which is a fundamental security feature in a mobile security policy, becomes complicated.
Gartner says that sufficient attention should be paid to this issue to avoid repercussions. In practice, "selective wipe" is proving to be difficult in ensuring that all business data have been deleted from the device. Therefore, Gartner recommended communicating with the legal department to obtain advice because there may be legal implications related to device wiping.
However, there could be problems if the user refuses a remote wipe. It is, therefore, advisable to obtain the explicit, written consent of the users to delete their data in case of compromises, or the loss or theft of devices, at the time of the user's initiation to the BYOD program.