Maintaining security when mobile devices are compromised

Sponsored by Samsung SSD

Secure your BYOD devices at workIn the pre-BYOD, or Bring Your Own Device, world, it was never a happy event when hardware went missing or was stolen — but it typically wasn’t cause for panic, either.  Enterprise-issued devices were tightly controlled by the IT department, and featured — or, at least should have featured — all the essential security measures, like passwords, encryption, and remote wipes.  BYOD, of course, changes things. Increasingly, mobile device management is becoming an integral factor in network security.

Now, devices are harder to lock down and employees almost always have more leeway in how they use them.  BYOD hardware is often chock full of personal content, and in many cases, the devices are owned by the users, so when employees move on to a new job, so does their smartphone or tablet.

Clearly, businesses have to assure the security of their networks and data should a device go astray or a user take it to a new workplace.  Yet at the same time, employees may have certain expectations about their devices — for instance, that their personal content belongs to them and won’t be immediately wiped if their phone is left in a cab.  How do businesses meet their security needs without hindering, frustrating, or surprising users?  The answer isn’t always straightforward, but getting it right is crucial if both enterprises and employees are going to have a positive BYOD experience.  Some key steps can help.

Create — and communicate — your BYOD policy

The most effective way to manage expectations is to set them yourself.  When employees are hired, they aren’t left to assume what their salary and benefits will be.  Instead, that information is defined from Day One.  BYOD should be treated in just the same way.  Before the first personal device is allowed on the network, companies should have a comprehensive policy in place that lays out the rules.  For example, if personal data will be deleted in any remote wipe, the policy should specify that.  Clear communication is critical, too.  Don’t bury the policy on a remote corner of your intranet.  Issue it to users, and require that they sign it before they can use their personal device for work.  And if your policy is to wipe all content from compromised devices — including those graduation videos that can never be replaced — it’s a good idea to stress the importance of backing up personal files, and include some tips on how to do that.

Use profiles

Security in a BYOD environment can be boosted dramatically through the use of profiles.  Essentially, these are rules that are triggered whenever a device requests to log onto the corporate network.  The profile will check that certain conditions are met before granting access — for example, that the device requires a password, that it isn’t using an open, unsecured connection, and that is hasn’t been jailbroken or rooted (activities that can compromise security features built into the device).  Profiles are a simple way to ensure that a company’s security policies — strong passwords, encryption, and the like — are followed by users.  If they’re not, their devices won’t be allowed on the network.  That’s a pretty strong incentive to play by the company’s rules.

Embrace mobile device management software

Commonly referred to as MDM, these platforms offer features that can protect corporate resources from compromised devices.  For instance, MDM software can be configured so that devices are disabled after repeated password attempts — often a sign of unauthorized use.  They can push out security updates to devices and require that the latest version of the OS (which is typically the most secure) be installed.  Some MDM platforms can even keep work content separate from personal content onboard a device, enabling ‘selective‘ wipes where only business data is erased.  That ability to spare personal content will prove particularly valuable when a device is lost but might turn up later, or when an employee takes it to a new job.

Consider virtualization

While passwords, on-device encryption, and remote wipes are essential steps for protecting data should BYOD hardware goes missing, companies can lower the risk even further through virtualization.  Put simply, this technology keeps data safe by keeping it back on the company’s own storage infrastructure.  BYOD devices are simply used to view and work with the data temporarily, but once a session is over, nothing is stored locally.  So should a device fall into the wrong hands, there is no sensitive data to extract from it.  Passwords and encryption might be cracked, but it’s hard to steal data when there is no data to steal.

BYOD isn’t without risks — no business model is.  But with the right policies, businesses can create and communicate a highly effective framework for keeping their data and their networks safe.  That not only lessens the risks, but increases the likelihood that BYOD will prove a winning experience — for everyone.

Alan Cohen
Alan Cohen is a New York-based writer who covers technology and business.
Alan Cohen
Tags: BYOD,IT Security,Technology