BYOD: Answering the challenges
Organizations must act to mitigate the risks of “bring your own device.”
July 16, 2012
The trend of people wanting to use their personal smartphones, tablets, and other computing devices at work is creating many opportunities for organizations, part of the reason that an increasing number of executives and IT departments are embracing the concept. But the “bring your own device,” or BYOD, phenomenon also raises a litany of questions and concerns that organizations, not just IT staff, must address.
The April 23 CPA Insider article, “BYOD: A Revolution on the Rise,” examined the advantages of BYOD. This article looks at ways organizations can mitigate the risks that come with allowing employees’ personal mobile devices to have instant remote access to corporate computing resources and information.
BYOD raises two primary concerns for organizations: increased vulnerability to IT network, data, and privacy breaches and increased complexity in providing support to a multitude of mobile devices.
Nothing is more sobering for IT professionals than the thought of a multitude of unregulated devices having anywhere, anytime access to their organizations’ network and confidential information. Employee carelessness and ignorance can open the door for hackers to use the employee’s mobile device to gain access to corporate systems and data such as customer names, passwords, Social Security numbers, and credit card information. Such a breach would have devastating implications for an organization’s operation and reputation and, in certain cases, including many involving CPA firms, could expose the organization to liability under various privacy laws.
How would hackers access corporate information through an employee’s personal mobile device? One way is for employees to unwittingly infect their smartphone or tablet with malicious software known as malware. There are myriad types of malware and other computer viruses, including many that target smartphones and tablets that run on the Android operating system. Victims can pick up these viruses by downloading infected apps or clicking on infected links, including some embedded in text messages.
Malware allows hackers to do many things, such as stealing passwords and even taking control of computer systems, including those that run smartphones and tablets. In some cases, a cybercriminal could break into an organization’s network simply by walking in through a “backdoor.” A backdoor is a file that infects an operating system, silently connects with the criminal’s computer, and opens a port through which the criminal can access the victim’s device. In a BYOD environment, a cybercriminal working through a backdoor could use an employee’s connection to the network to slip through the firewall and access sensitive data.
Employees can create perhaps an even bigger risk by downloading confidential data to their personal mobile devices. In that case, even the simple loss of a smartphone or tablet could give a criminal easy access to information the organization is charged with keeping safe, especially if the employee fails to follow basic security practices such as locking devices with strong passwords (with upper- and lowercase letters, numerals, and special characters) and encrypting data stored on—and transmitted to and from—the device.
Steps to strengthen IT security in a BYOD world
Organizations that allow BYOD must require employees to sign a mobile-use agreement before allowing them access to the network with their personal devices. The agreement should mandate the use of encryption and password protection on all mobile devices connecting to the network. Organizations also should demand that employees agree to allow the organization access to remotely delete work-related data in the event the device is lost or stolen.
Another way to shore up security in a BYOD environment is to prevent employees from downloading corporate data to their iPhones and iPads. Desktop virtualization is a technology that can give organizations much greater control over their data and network access. IT staff can set up connections that allow employees to access their work desktop from a smartphone, tablet, or laptop. Because the desktop is virtual, it serves as an access point to applications and data stored on a server.
With desktop virtualization, IT staff can establish controls such as preventing employees from downloading corporate data to their personal mobile devices. Because the data stays within the corporation, it helps to make BYOD sustainable. Desktop virtualization also provides greater protection against malware infection because there is no transmission of information from the employee’s device to the server. The employee can access applications and data—e.g., client information in an Excel file—but the virtual desktop serves as a wall that helps keep any malware on the device from infecting the network.
Employees are willing to spend their own money to buy smartphones and tablets and even data plans, but it’s unrealistic for organizations not to provide limited IT support for these devices. At the least, IT staff need to perform tasks such as resetting passwords for employees whose mobile devices are locked out of the network.
Organizations can limit IT support by steering employees to their device’s manufacturer when the device has performance problems. For example, IT would recommend that employees take their iPhones and iPads to the Apple Store when they need repairs. IT staff can help employees figure out if the devices need repair, but IT would not perform the repairs.
To encourage employee endorsement of this plan, organizations would be wise to provide a stipend to help cover costs. Companies can set up a system in which they offer monetary support for employees who purchase their mobile devices and accessories from a group of four or five vendors vetted by the IT staff. In the case of a laptop, a business could provide, for example, $1,000 over two years to employees who agree to purchase whatever the computer needs—hard-drive space, processors, memory, etc.—only from one of the approved vendors.
This approach can help the organization exercise some control over the types of personal devices connecting to the network. It also costs less than providing the device. It can cost as much as $2,500 for each new laptop provided to an employee. Compare that to a $1,000 BYOD stipend.
There are a number of pitfalls, but savvy organizations already are planning or deploying the foundations of a successful BYOD implementation and working on the specific policies and procedures needed to support BYOD initiatives in their company.
People are no longer willing to wait, or accept that their employer is the only entity that can determine which technology is best for getting the job done. Organizations need to realize that they are no longer responsible for delivering a work computer. They have to be able to deliver a work environment.