For most organizations, bring your own device (BYOD) is a fact of life or soon becoming one. People want to use the same mobile device(s) for both their work and personal lives and have some freedom of choice as to the devices they use. The more competition an organization faces in recruiting and retaining employees, the more likely a company is to allow some form of BYOD. It can also increase productivity and communication for employees, since they are likely to be always connected.
However, BYOD also brings some interesting security challenges. Most of the challenges arise from the potential of sensitive information being stored on mobile devices. ISACA has a set of guidelines that can be helpful for securing mobile devices. Organizations could require that BYOD users follow suchguidelines. In addition, BYOD users frequently connect to the cloud as a way to get their work email or share files and this poses some specific challenges.
For example, consider BYOD and the use of Dropbox or similar cloud file-sharing services for business purposes. Many organizations use Dropbox as a way to easily share files, even sensitive files, between users. The files are stored in Dropbox’s cloud and are encrypted using 256-bit AES encryption (both at rest and in transit), which is decent enough encryption for most corporate use. Generally, the files are also automatically synced with the mobile device. This may not be a concern for devices owned by the organization, but with BYOD, the employee now has a copy of a potentially sensitive file on his or her own device. If the device was then lost or stolen, it is possible that the sensitive data could be compromised, resulting in a data breach.
If this is a concern, organizations can mandate by policy that BYOD users only access the shared files on demand and not download local copies. This is fairly straightforward with Dropbox. Similar policies could be enabled for email use when the organization is using a cloud-based email service, such as Gmail. For example, the policy might only allow the use of email from a browser or app, rather than allowing local copies of messages and attachments to be stored on the device.
If local storage of potentially sensitive files and email is allowed, there are additional precautions that could be taken. Local data encryption, particularly on notebooks, is an option. Smartphones, tablets and, with additional software, even notebooks often have a remote-wipe capability that can be triggered if the device is lost. Ideally, this remote wipe should be something that not only the BYOD users but also their IT departments can trigger on the device. In addition, PINs, passwords, two-step verification or biometrics must always be used to protect access to the device. Devices that do not have such authentication should be prohibited from accessing the company network or cloud.
Of course, the security policy should also mandate that the sharing of personal work files should be kept separate. In the case of Dropbox, use a separate Dropbox for each one. Otherwise, an employee wanting to share sensitive information may inadvertently share work information with friends and family.
Since BYOD is a fact of life and is likely being used in conjunction with work in the cloud, organizations need to review and update their security policies and security awareness training to ensure that sensitive data remains secure.
Rob Clyde, CISM
CEO of Adaptive Computing
ISACA International Vice President