BYOD creating management challenges for UK businesses

Wednesday 5 December 2012

Business confidence

An increasing number of UK businesses have implemented or are planning to introduce bring your own device (BYOD) policies, it has been reported.

Some 70 per cent of businesses will allow employees to use personal devices on corporate networks within the next 12 months, Gartner reported.

The IT analyst found that 33 per cent of organisations already have BYOD policies in place for mobile devices, such as smartphones and tablets.

“Shifting from an enterprise-owned mobile device fleet to having employees bringing their own devices has a major impact on the way of thinking and acting about mobile security,” said Dionisio Zumerle, principal research analyst at Gartner.

"Policies and tools initially put in place to deal with mobile devices offering consumer-grade security must be revised to deal with these devices being under the ultimate control of a private user, rather than the organisation."

Preparing for successful BYOD

According to Gartner, businesses must consider and take action on three major impacts when moving to a BYOD policy:.

Firstly, firms must consider whether the right of users to leverage the capabilities of their personal devices conflicts with enterprise mobile security policies.

Companies need to manage the risk of data leakage and the exploiting of vulnerabilities, the company stated.

Gartner suggested that mobile device management (MDM) software is one way to enforce policy on mobile devices.

"Users should obtain access to enterprise information only after having accepted an MDM agent on their personal devices, and possibly a URL filtering tool," the firm added.

"Enterprises should consider using application whitelisting, blacklisting and containerisation, as well as setting up an enterprise app catalogue for apps that are supported." 

Freedom of choice a challenge for businesses

Gartner said user freedom of choice of device and the proliferation of devices with inadequate security makes it difficult to properly secure certain devices.

This also makes it difficult for businesses to keep track of vulnerabilities and updates.

"Allowing users, rather than the IT department, to select operating systems and versions of mobile devices opens the door to devices that are inadequate from a security standpoint," Gartner stated.

"An essential security baseline should require enhanced password controls, lock timeout period enforcement, lock device after password retry limit, data encryption, remote lock and/or wipe."

The analyst said network access control policies should be used, for example, to deny access to enterprise resources such as email and apps from devices that cannot support the security baseline.

Securing users' personal devices

A third problem for businesses is that users' ownership of handsets and data raises privacy concerns which stand in the way of taking corrective action for compromised devices.

"Most people consider data on their personal devices as their property, and would strongly object to having it manipulated by the organisation without their explicit consent," the firm said.

"When shifting from enterprise to user-owned devices, 'remote wipe,' which is a fundamental security feature in a mobile security policy, becomes complicated from a legal and cultural point of view."

Businesses are urged to pay sufficient attention to this issue to avoid repercussions.

Gartner said that in practice 'selective wipe' is proving to be difficult in ensuring that all business data, and only business data, has been deleted from devices.

The firm has recommended liaising with the legal department to obtain advice, because there may be various implications related to device wiping.

Posted by Alex Boardman