Author: Cody J., Inflow Software Engineer
Organizations nowadays have to contend with a multitude of IT issues. With the lowering cost of personal electronics, especially smartphones, laptops, and tablets, people are buying a variety of devices to stay connected and, inevitably, will use at work. Companies need to decide how they will deal with this issue.
Bring Your Own Device (BYOD) is a controversial issue in some places, especially when information security is considered. Traditionally, companies provided employees with the information systems needed to do their work. Controlling the items that were used within the company allowed more control of security; only authorized devices were present on the network, and baselines were created for each system, making it easy to handle patching and other security issues.
BYOD allows workers to bring their personal devices to work and use them on the the company’s network. Some of the advantages include improved productivity (employees have already configured their personal systems to their individual tastes, so they aren’t fighting with unfamiliar or locked-down systems), improved morale (letting employees choose their own “best of breed” applications), and cost savings (companies don’t have to buy all these devices themselves).
Naturally, a significant disadvantage is in security. Because they are touching the company’s property (such as the network itself, servers, and associated systems), the company needs to ensure that these personal devices aren’t opening up security holes in the company’s InfoSec posture. Yet, relying on employees (with differing levels of “computer savviness”) to maintain security on their systems can be wishful thinking.
Here is a short, non-comprehensive list of security concerns with BYOD:
- Not encrypting a personal device and subsequently losing it or having it stolen or hacked
- Not wiping the data on it prior to selling/disposing of it
- Allowing friends/family to use the device, thus exposing sensitive information to non-employees
- Setting up sharing, such as through Dropbox or peer-to-peer networking, that inadvertently shares company information
- Tracking network traffic or employee work needs to ensure only work-related information is monitored and no personal information is exposed
- Ensuring that personal systems have the latest software patches and meet the minimum security baselines
- The inevitable need for corporate help desk services to provide support to personal devices
- increased corporate liability
Obviously, while there are advantages to having a BYOD policy, the security concerns can outweigh those advantages. Before a company decides to implement BYOD, it needs to consider all the pros and cons of the policy and address as many of the security concerns as possible. Eliminating and mitigating these concerns will reduce the likelihood of serious security violations, such as data breaches and malware infestations.
One alternative is to have the company purchase personal devices, e.g. providing a catalog of choices for employees, and allow personal customization in addition to the standard corporate configuration. This allows the company to maintain the same security criteria as with the traditional system but also provides employees with some ability to customize their devices.
This removes the cost benefit to BYOD but enhances the company’s security posture. While personal use is still allowed with the devices, they have to maintain a minimum security baseline to access the company’s network, they receive regular patches, and help desk support is more manageable. In addition, when an employee leaves the company, the device can be wiped by the company to ensure all proprietary data is removed.
With this company-owned, personally-enabled (COPE) policy, there is more leeway in how the devices are purchased. One option is to simply have the company buy the devices and allow employees to use them during their employment period. If an employee leaves, the device is returned to the company, as it is company property.
Alternatively, the company can allow the employee to purchase the item, either at the point of purchase or at the time the employee leaves the company. Thus, while the device is still controlled by the company, the employee gains personal use of the device when s/he leaves the company. Obviously, the company would still ensure the device is wiped before the employee leaves the company.
As can be seen, BYOD and COPE are different methods to deal with the desire of employees to use their own devices at work. There are a number of security concerns to be cognizant of when implementing any policy that allows personal devices, whether or not they are purchased by the company. Planning for these policies needs to include a number of stakeholders, and consider all the pros and cons of allowing personal devices.
At Inflow we solve complex terror and criminal issues for the United States Government and their partners, by providing high quality and innovative solutions at the right price through the cultivation of a corporate culture dedicated to being #1 in employee and customer engagement. We Make it Matter, by putting people first! If you are interested in working for Inflow or partnering with us on future projects, contact us here.