How to secure BYOD the BYOD way

By Anurag Kahol, CTO, Bitglass

Credit: ID 35529872 © Sue Harper | Dreamstime.com

Bring your own device (BYOD), where employees work from personal devices such as mobile phones and laptops, is quickly becoming the norm in today’s business environment.

Companies that embrace BYOD are giving employees more freedom to work remotely, resulting in increased productivity, cost savings and talent retention. In fact, 85 percent of organisations now allow BYOD for at least some of their stakeholders, including employees, contractors, partners, customers and suppliers.

But BYOD changes an organisation’s threat landscape and requires security tools that differ from those used to protect managed devices.

Unfortunately, a widespread misunderstanding has contributed to an unfounded assumption that BYOD is inherently riskier than the traditional way of doing things. In reality, this is a myth fuelled by companies that fail to implement proper security tools and processes for protecting data in BYOD environments.

Consider the following findings from my company’s recent survey report on BYOD and security:

  • One in five organisations lacks visibility into basic, native mobile apps on personal devices
  • Only 56 percent of companies employ key functionality like remote wipe for removing sensitive data from endpoints
  • 43 percent of organisations don’t know if any BYO or managed devices downloaded malware, indicating a significant lack of visibility
  • 24 percent of organisations don’t secure email on BYOD at all.

These statistics indicate that companies aren’t entirely prepared to secure data properly in BYOD environments, although 51 percent of respondents believe that the volume of threats targeting mobile devices is continuing to increase.

Because many BYO devices are personal mobile devices, these trends continuing unabated will inevitably lead to countless breaches in the future.

While 30 percent of companies still do not allow BYOD due to security concerns, it is highly probable that in the coming years companies will alter their practice in order to maintain a competitive stance in the market.

So when implementing BYOD, it is essential that organisations add proper security controls immediately – not weeks, months or years after the fact. Key security controls are:

  • Single sign-on (SSO): The absolute minimum requirement for basic identity and access management (IAM) in cloud and BYOD environments. SSO serves as a single entry point which securely authenticates users across all of an enterprise’s cloud applications.
  • Multi-factor authentication: A tool that requires a second method of identity verification before employees or other users are allowed to access resources. For example, after inputting their passwords, users may be prompted to verify their identities through an SMS token sent via email or text, Google Authenticator, or a hardware token that they carry physically.
  • User and entity behaviour analytics (UEBA): Analytics that provide a baseline for normal user activity and detect anomalous behaviour and actions in real time, allowing IT departments to respond accordingly and automatically.
  • Data loss prevention (DLP): Various tools capable of allowing, blocking or providing intermediate levels of data access; for example, through redaction, digital rights management (DRM) and more.
  • Selective data wipe: This allows administrators to wipe all corporate data from a device without affecting the stored personal data; for example, photos, contacts, calendar events, emails, text messages and other items.

In BYOD environments, employing all of these tools and best practices requires that organisations leverage agentless solutions deployed in the cloud. Such tools demand that software installations on personal devices invade user privacy and harm device functionality. This frustrates employees, impedes deployments and counters the many benefits offered by BYOD.

Fortunately, agentless tools are capable of securing data without these disadvantages and offer highly specialised capabilities. For example, agentless advanced threat protection can detect and halt threats as they are uploaded to any application, as they are downloaded to any device, and when they are at rest within the cloud.

Read more: Getting the security / risk balance right in the public sector

Despite popular opinion, BYOD can be fully secured if companies leverage the proper tools. Organisations that insist on securing personal devices with the same strategies used to protect corporate endpoints will continue to find they are incapable of defending their data properly.

By employing the tools discussed, companies can embrace the benefits of BYOD without compromising on data protection.

Tags BYODBYOD security

Show Comments