In September, the Information Security Forum (ISF) released a report, “Managing BYOD Risk: Staying Ahead of Your Mobile Workforce,” which found that many companies, in their rush to institute some kind of BYOD security policy, often neglected or rushed risk management. Incomplete or ineffective policies in effect leave the company open to threats against its network. Instead, ISF encourages organizations to take an “info-centric” approach to BYOD policy.
I had the chance to speak with Steve Durbin, global vice president of ISF about the report.
Poremba: When talking about risk management in terms of BYOD, what exactly do you mean? Is it just good security practices or something more?
Durbin: Managing information risk is complex and many functions, processes and working methods need to be established in order to create an effective capability. Some of these include:
When we look at BYOD, clearly there is a need to have effective policies and practices in place, but many organizations make the mistake of starting from this point as opposed to first determining how they will be using the devices to provide the link between what are the most important corporate assets—corporate information and the people that need to access and interact with this information. So BYOD is more about understanding how the interaction must take place, with what information and on what basis. Having understood that and the associated risks, organizations can move to creating the security practices and policies that reflect the risk management profile that is acceptable to the business and compatible with the needs of the business to function effectively.
Poremba: What are some of the key risks associated with BYOD programs, particularly for SMBs?
Durbin: As the trend of employees bringing mobile devices in the workplace continues to grow, businesses of all sizes continue to see information security risks being exploited. These risks stem from both internal and external threats, including mismanagement of the device itself, external manipulation of software vulnerabilities, and the deployment of poorly tested, unreliable business applications. Left unmanaged and exposed, mobile devices in the workplace are susceptible to a wide range of information security threats. These threats include exploits by malware targeted at the device’s operating system or apps, unauthorized connections, exploitation of software vulnerabilities by malware that exposes data or causes unexpected behavior and compromise or irrecoverable loss of corporate data. These issues are particularly acute for SMBs for a number of reasons: They have adopted BYOD and cloud technologies as a cost effective, highly scalable means of running their businesses and may not have taken the time to think through some of the security implications with storing and accessing information in this way. Furthermore, they will often not have the same level of accessible resource to address issues of information security – this naturally raises the risk profile under which they are operating.
Poremba: The importance of putting together BYOD policy is stressed by many IT executives, but how effective are such policies? Who should be policing them and how can you make sure your employees are following the policy?
Durbin: Every organization, no matter what the size, needs to ensure employees are aware of what constitutes good working practice for mobile devices. As well as making consumer device security an integral part of awareness campaigns, organizations should consider monitoring device usage and enforcing policy through disciplinary or financial sanctions. By putting the right working practices, usage policies and management tools in place, businesses of all sizes can benefit from the returns that these devices can bring to the workplace, while at the same time, managing their exposure to potentially devastating risks.
Poremba: What do you think is the most important takeaway from the Managing BYOD Risk: Staying Ahead of Your Mobile Workforce report, and why?
Durbin: The explosion of new mobile devices and applications means that organizing a BYOD risk management plan around a single technical solution can be limiting. A focus on information is more likely to result in an agile and adaptable program.