The rise in the adoption of ‘bring your own device’ (BYOD) means new security challenges and increased workload for IT departments.
The security of company-owned desktop and laptop computers is fairly well understood now, and most organisations have policies and best practice guidelines to control the risks. But that’s often not the case with user-owned devices: policy, user education and supporting different device types like iOS, BlackBerry and Android all need to be addressed.
Each of the major devices has its own strengths and weaknesses. BlackBerry has been used in the corporate environment for many years so it’s got most of the required enterprise security settings, and best practice security settings are well understood. iOS was initially seen as lacking some of the required features, but has improved over recent years. Some organisations though still have concerns over Apple’s tight control over their devices. Android is complex because it can run on a large range of devices so guidelines need to take account of both the OS version and also the device type.
It’s important that users and companies don’t underestimate the potential security risks of mobile devices. Some people assume that they don’t present the same risk as laptops because they are more locked down, or are appliances rather than general purpose computers. But mobile devices have their own security problems, as witnessed by the regular stories of attacks that can crack the password or install arbitrary software.
In many ways, the security of mobile devices is lagging behind traditional laptops. Not all devices support basic security features like encrypted storage (preferably full disk encryption), password policies, and VPN support; and it’s not always possible to enforce security settings to ensure all devices conform to a central security policy. And in those cases where these features are present in the latest version of Android, iOS or BlackBerry OS, many devices still run older versions, so it will be some time before these features become ubiquitous.
But despite these problems, there are signs that organisational use of mobile devices is here to stay. For example, last year the DoD approved the use of Android based devices for its employees, although they did mandate the type of hardware and OS version rather than allowing any Android device.
Avoiding BYOD is not an option anymore. The key issue for IT departments is how you manage personal devices in the workplace and what you allow those devices to acces.