Bring Your Own Device: Smart Move For Businesses?
At least half of mobile phones have no antivirus protection, experts estimate.
Despite the risks, businesses promote BYOD because it can save their company money.
Picture the army of IT managers who diligently shield company data, networks and desktop computers against enemy hackers. Now picture their more insidious adversaries — company staffers who breezily download files to their iPads or Android phones, then tweak them with apps bought from iffy online shops via cafe wi-fi hot spots.
Such mobile maneuvers, though well-intentioned, can give IT chiefs nightmares. Even so, staffers and even executives are pressuring IT departments to support the business use of personal mobile devices. Those high-powered smartphones and tablets not only work anywhere, but also ease tasks like collaboration. And IT managers who try to squelch access may fail.
“Those users will find their way around IT," said Robin Daniels, a marketing executive at Los Altos, Calif. cloud services firm Box, which helps small businesses navigate mobile security issues. “It scares the bejeesus out of a lot of our customers.’’
However, some small businessowners promote “BYOD,’’ or Bring Your Own Device, to cut costs. PlumChoice of Billerica, Mass., recently mandated BYOD, paying employees a flat reimbursement instead of providing company devices. PlumChoice can manage the security risks; It’s a technology support company. But what about a small accounting or health-care firm without sophisticated IT staffers?
Some business owners just give way to the BYOD surge and cross their fingers, said Tom Murphy, CMO of Bradford Networks in Cambridge, Mass. They adopt a blind faith stance Murphy calls “Disregard.’’
“If your strategy is “Disregard,’’ you’re just asking for trouble,’’ he said.
Trouble could start like this: Staffer "Fred" arranges appointments with his iPhone at the office, then heads for a coffee shop with free wireless. Sipping a latte, he cruises sports sites with his phone, clicks an intriguing link — and uploads malware. Back at the office, Fred logs into the company network again.
“Once I’ve made the connection, I’ve injected what was on the iPhone into the small business environment,’’ said Cal Slemp, managing director of the multinational consulting firm Protiviti.
At least half of mobile phones have no antivirus protection, experts estimate. Fred’s malware might uncover network weak spots, extract credit card numbers or health records, and capture passwords, ensuring cybercriminals continued access.
These potential horrors have sent many small businesses to technology service firms such as Box, PlumChoice, Bradford Networks and Protiviti. One first recommendation for improved security is simply to identify all devices tapping into the company network. Fewer than 50 percent of IT professionals feel fully confident that they already know this, according to a recent survey by the SANS Institute, an information security research organization.
Although BYOD access causes particular security concerns, similar threats also arise from company-issued mobile devices, Slemp said.
People blend their business and personal lives in these handheld gadgets, letting their guard down when they shift from working to searching for Facebook updates or nearby burger joints. They may click on infected websites, write passwords inside smartphone covers, and use the same password for the company network and their YouTube accounts.
Employee training can reduce such errors. But technology also offers remedies in three core areas: mobile device management; network access control; and an emerging tactic, mobile application management. Often, several services are blended together as security firms form partnerships to offer comprehensive coverage.
Companies should register all permitted mobile devices and install antivirus programs, said Murphy of Bradford Networks. But cybercriminals are outpacing antivirus updates.
“You must assume, as a security professional, that every device is compromised,’’ he said.
The next defense is network access control (NAC). Sensitive information, such as budgets and intellectual property, should be roped off in network regions inaccessible to most workers, Murphy said. Through passwords and other means, users should be confined to the data they need to do their jobs.
Other measures are needed because lightweight mobile devices are often lost or stolen. Workers not only store company information there, but may also create original documents. Automatic backups can recover the data, and a well-prepared company can also remotely erase the entire contents of a lost gadget to deprive thieves of access. The boss clearly has authority to remote-wipe a company-issued smartphone. But what about a personal iPad loaded with family snapshots and addresses?
Companies that permit BYOD can require employees to agree in advance that a lost device must be reported immediately, and that its contents may be partially or completely wiped. Firms may also insist that staffers leaving the firm will temporarily surrender their devices while company data is removed, said PlumChoice founder Ted Werth.
Beyond that, encryption can protect data sent from company networks to devices, so that a casual thief can’t read files on the device.
And then there are apps. Some employees share information on free consumer cloud applications, such as Dropbox. This is another example of the security challenges posed by the “consumerization of IT,’’ which allows individuals to find their own workarounds to get things done easily.
Box offers cloud-based data storage that is guarded by mobile access controls — an attempt to satisfy mobile file-sharers while preventing IT nightmares. Box customer Atri Chatterjee, CMO of Act-On Software, said employees are also less likely to download files to their many devices if they know they can always find them in the Box cloud. “I’ve got one place I really have to fortify and protect; I don’t have a thousand places,’’ Chatterjee said.
Protiviti’s Slemp said each company must choose its own best policies on mobile access, depending on the sensitivity of data the company handles. “If we start with that, we can understand the risk and make appropriate choices.’’