Security risk management: BYOD and the way forward

Whether you’re an end user or an IT administrator, Bring Your Own Device (BYOD) is becoming a reality in many workplaces these days. Advances in technology have now made this possible. There’s no doubting that BOYD can deliver rewards and have positive impacts on productivity. However, these rewards can also involve risk. Although BYOD may be convenient for your employees, businesses will also need to consider its potential impact on corporate security models and data.

BOYD – the benefits

All IT leaders now face a variety of security challenges and rapid changes, yet because of financial pressures they are expected to do more with less. It is incumbent on them to provide end users with the latest, most advanced technologies to remain competitive, yet they also have to protect company, customer and employee data and avoid attacks from cybercriminals. New technologies have brought many more ways of accessing data, new types of devices and alternatives to the traditional PC platform.

BYOD encompasses not just personal computer use by employees, but using smartphones, tablets, BlackBerrys and notebooks for their work. The concept of BYOD has broadened to include software and services, as employees use cloud services and other tools on the web. Implemented properly in a structured and methodical way, a BYOD programme can reduce cost while increasing productivity and revenue. However, as BYOD goes mainstream, security remains paramount for users and IT administrators alike.

BYOD – the risks

Whatever enterprises may think about BYOD and however they choose to implement the technology, its deployment needs to be controlled and predictable. BYOD may be owned by employees, but the data carried on these machines is company-owned, so management of the device and security risk management of the information are critical.

BYOD – the way forward

Last year the ISACA (formerly known as the Information Systems Audit and Control Association) released research from 4,500 members across over 80 countries. Research from one particular vendor showed that as things stood only 19 percent of businesses had implemented a complete, formal ban on the use of BYO devices. However, only 23 percent of businesses reported that BYO was in use to ISACA.

What this information clearly shows is that there are still many organisations who haven’t yet decided whether BYO meets their risk profile. Whilst this might offer a convenient opportunity for vendors to push the ‘benefits’ of the use of these devices to a larger customer, it also highlights the fact that BYO needs to be carried out with a full understanding of the information security implications.

Krypsys’ current advice to senior managers is not to just ban BYO. This strategy has its own particular dangers: any new technology usage presents business opportunities, which need to be considered carefully. However, we would recommend an assessment of where BYO might bring benefits, and an analysis of what the associated risks might be.

It is worth remembering that, as with all new technologies, as security vulnerabilities are highlighted, solutions are also designed and implemented. Also, the inherent risks with BYO are the use of uncontrolled devices that you do not own and cannot secure effectively. However, this doesn’t mean that the adoption of mobile technologies that you can control also needs to be ruled out. Methods, and associated technologies, for the management of mobile devices is an area of rapid development – this means that your risk profile is likely to change relatively quickly.