“Bring your own device” policy is becoming more popular and a large number of companies have adopted it or are planning to adopt it in the near future. Is it a bane or a boon? The truth is that–it can be either depending on how well you are equipped to deal with its challenges.
Fundamentally, BYOD encourages employee mobility. Mobility implies use of devices such as laptops and hand held computing devices such as iPhone, iPad or tablet PCs to connect to the central enterprise database over the Internet. All these devices use web based applications that connect to the same HTTP based ports. The advantage of anywhere, anytime connectivity can become the source of the problem. The number of innovative cyber attacks has increased. Microsoft has estimated that there are 2.2 million computers that are controlled by botnets.
Further, Data virtualization has increased the visibility of data. Data is moved dynamically across multiple networks to the mobile device requesting data. The target data becomes vulnerable due to this decentralization at the point of access if it is not adequately secured against third party access. This presents a number of security challenges. The enterprise must deal with the exploding complexity of the problem using available limited resources. These challenges are not going to go away. If there is inadequate security on mobile devices, BYOD will be a bane.
So, if your organization permitting BYOD for any or all of the following reasons
- To provide a secure device agnostic environment anywhere/everywhere
- To build one general purpose application agnostic network
- To make the primary means of communication wireless,
You need to take a policy review if you want to convert potential problems in to acceptable solutions. Understand how the above policies impact your organization; what are the legalities involved; what kind of mobile device management you need to implement and what kind of mobile security you need to mandate. This must be management driven and must be detailed in a set of policy documents such as Information security policy; Information classification policy; acceptable use policy; data retention policy; data protection policy and risk assessment policy and implemented across the enterprise on whatever device is in use.
What if the device is lost or stolen? You need to have a lost or stolen device policy. You must have a clear vision about the lock and wipe policy on employee owned devices and you must make sure the employee is aware of and agreeable to the implementation of the policy on the device.