BYOD - Bring Your Own Disaster???
It is hard for employers to resist allowing the use of such devices by employees. The productivity value is undisputed, so the alternative would be for employers to foot the purchase themselves, an approach not many would be excited about.
On the other hand, the use of BYOD can easily expose a network to attack, and can lead to data compromise. These devices are frequently used on public networks, which are poorly secured. It is not rocket science for a hacker to compromise other devices on such a network. In addition, there is an increasing amount of wireless network spoofing going on. A hacker sets up a rough public network with a name that sounds legitimate, for the purpose of capturing data. If you were sitting in Jason's Deli for example (where I spend many of my lunch breaks), and saw a public network entry by that name, you would be inclined to trust it. Most Jason's locations do not have public access points however, so you would likely be connected to a rogue.
In case you are thinking that most employees don't have significant company data on their mobile devices, guess again. Consider:
Email messages with confidential information
Login information for company systems
VPN connections to company networks
Access info for banking and SaaS systems
Document, spreadsheets, etc
The potential for compromise is likely much greater than you would imagine.
Convinced? Ok, now, what do you do about it? Assuming you can't just outlaw them, you need a policy governing their use, which must be enforced. The following are some ideas for inclusion in this policy:
Password protection - Any mobile devices used with a company network must require strong a password for access. This seems obvious, but many people do not include these.
Fingerprints - The fingerprint readers included on mobile devices are not perfect, but a definite security enhancement.
Malware protection - Mobile devices are under increasing malware attack (according to Alcatel-Lucent's Motive Security Labs, more than 16 million mobile devices are currently infected). The fact that most devices run one of only two operating systems, coupled with the sheer number of them out there, make them irritable to hackers.
Encryption - There are a variety of encryption options available, and such approaches should be required for any company data residing on devices.
Patch management - Just like with a PC, a mobile device is subject to vulnerabilities discovered from time to time. It is important to make sure patches for these are installed as they are released.
VPN - Any access to the company network from a mobile device from outside the company's wireless network should be via a company VPN. It is also possible to require a VPN connection back to a company network before any of their cloud-based systems are accessed.
Loss/data wipe - Employees must report the loss of a BYOD device to the company, and the company needs the right and ability to wipe company data.
Training - BYOD policies and procedures should be part of your onboarding process, as well as your regular employee security training program. You do have one, right?
Litigation and e-Discovery - BYOD devices that are used for company business may be subject to discovery and retention requirements in the event of litigation. The right of the employer to search devices and retain data must be covered.
Offboarding - How will removal of company data from a BYOD device be handled at termination? How will you, for example, ensure that a sales rep leaving your company does not take his company contact list on his iPhone with him/her?
Support - To what extent is the company responsible for providing support to a BYOD user?
As you can see, BYOD is difficult and expensive to properly support. Your IT department or provider must have the bandwidth to implement and monitor policies and procedures. Your network must have the bandwidth necessary to support them (a number of employees with BYOD units can bring a wireless access point to its knees). Finally, you must have the ability to monitor and control BYOD units. Fortunately, there are a variety of devices and services available to manage BYOD assets. They can restrict a network to only authorized devices, monitor patch levels, enforce password policy, and when necessary, wipe data.
I could spend a whole column reviewing products and services for mobile device management. Without endorsing particular products, the following are some examples of products available to handle this function (options include appliances, installed software, or hosted):
ManageEngine - installed software which includes mobile device management
Dell KACE - Asset management appliance, which includes mobile devices. Also available as a service.
Kaseya - Hosted solution.
Spiceworks - Well known free product which includes mobile device management.
If you allow employee BYOD, it will bite you sooner or later, so I recommend that you get on top of it before that happens.