Retail Security
Bring Your Own Device
L
ike it or not, your employees are bringing their own devices to work. They want to use their own smartphones, tablets and notebooks. On one hand it’s a trend that can improve employee productivity and work satisfaction. On the other it can be a huge threat to corporate security as we’ve known it until now. Trying to pretend it isn’t happening isn’t an option. Organisations that fight against the trend are alienating employees. What’s more, a blanket, NO to a bring your own device (BYOD) policy isn’t going to work forever. “There is a wonderful quote,” says David Reiss, Product Marketing Manager, networked ICT products at Gen-i, “Bring your own device. Do it, or have it done to you.” There are also good business reasons as well to allow employee access to their corporate email 24/7.
David Reiss, Product Marketing Manager at Gen-i 34
December 2012 - January 2013
Embracing the BYOD trend requires, however, a fundamental change in thinking. Suddenly the network and confidential data are opened up to devices that aren’t administered by the IT department. All those devices attached to the network become channels through which confidential data could leak. “It is still very new and still a massive security concern for organisations,” says JohnPaul Sikking, Security Specialist at Cisco. The security risks include: • The dual private/corporate use of the device opens up security holes. • The employer is not the administrator of the device. • Corporate data is shared through synchronisation apps such as Dropbox. • There may be access to sensitive data if the device is stolen. • Employee devices may not have suitable security installed.
John-Paul, Sikking Security Specialist at Cisco
BYOD policies Sikking says that organisations must put the policy in place first before investing in the tools to implement it. The tools are there to enforce the policy. The SANS Institute, which provides information security training, found in its Survey on Mobility/BYOD Security Policies and Practices released in October of this year that a third of organisations lacked a meaningful BYOD security policy. “Without security policies, allowing employee-owned devices to access company resources, makes our protected IT networks sitting ducks,” SANS report authors Kevin Johnson and Tony DeLaGrange said. The first step, says Sikking in developing a policy, is to analyse the business risk and define the requirements. That policy needs to cover what access your organisation will give to employees’ devices and what is expected in return. It straddles IT and HR and specifies what the right behaviour is. There is no one-size-fits-all policy. At the most basic level, says Reiss, organisations create policies allowing employees to bring their own devices, but don’t offer any specific support. “In a lot of cases that is going to be enough,” he says. “You are on your own with this device. Follow these steps and get access to company resources.” However this is not sufficient for some organisations that may want more control over the device and what is being done on their networks. There will be many difficult questions to be answered in the policy writing process. One of the policy quid pro quos that many organisations offer is: you bring your device, but we control what you can do with it in work hours, says Sikking. www.NewZealandSecurity.co.nz