GLOBALLY, one in four devices used for work are already either smartphones or tablets. Apple CEO Tim Cook has appropriately called this the "post-PC era" - creating a workplace shift toward Bring Your Own Device (BYOD) that's rapidly becoming the rule, not the exception.
With employees using smartphones, tablets, ultrabooks and more for their work, the concept broadens to include software and services (Bring Your Own Software: BYOS), as they use cloud services and other tools on the Web.
End-users accessing non-company software might include using free public cloud storage providers as ways to collaborate on and transfer large documents. Those documents, however, could contain data that falls into the scope of regulatory guidelines, which could place your data at risk.
You should evaluate how cloud storage providers transport and store your company's files. You need to consider how they are encrypting the data, whether they are using a single key for all of their customers, who has access to the key to decrypt the data, whether they will surrender the data to authorities if it is subpoenaed, in which countries the servers are located that are housing the data; and whether your organisation has an agreement with customers that their data won't be stored in certain countries.
All organisations have the flexibility, based on their corporate culture and regulatory requirements, to embrace BYOD as much as they deem reasonable. For example, there are companies who have decided the risk is too great and choose not to implement a BYOD programme.
In May, IBM banned its 400,000 employees from using cloud storage service Dropbox, as well as Apple's personal assistant for the iPhone, Siri - which listens to spoken requests and sends the queries to Apple's severs where they are deciphered into text. Siri can also create text messages and e-mail messages on voice command, but some of these messages could contain sensitive, proprietary information.
Whatever you think of BYOD and BYOS and however you choose to implement it, IT managers should treat it the same way as any introduction of new technology: With a controlled and predictable deployment.
Ultimately, the success of your programme is measured by your employees' willingness to use their personal devices within security procedures and policies you set for your organisation. You need to be able to enforce security policies on a device level and protect your intellectual property if that device is ever lost or stolen. But, whatever decision you make for your BYOD policy, be sure that it's enforceable and enables IT to deploy software remotely.
How to secure BYOD devices
The first and best defence in securing BYOD devices begins with the same requirements you apply to devices already on your network. These include enforcing strong passcodes on all devices, antivirus protection and data loss prevention, full-disk encryption for disk, removable media and cloud storage, mobile device management to wipe sensitive data when devices are lost or stolen, and application control.
You should always extend encryption to both data in transit and data at rest. Protecting your devices with strong passwords means you make it incredibly difficult for someone to break in and steal data. But if your device-level password is somehow compromised, encrypting the data stored on the device provides a second level of security a hacker must get through in order to steal your data.
You should encourage users to think of the extra layers of security as helpful tools that give them the ability to use their own devices within the workplace. By password protecting devices, a user acknowledges accountability and responsibility for protecting their data.
You should also apply a custom level of application control to BYOD devices. If applications are available to employees on the internal network, they should be able to access them offsite through a VPN (virtual private network) or e-mail software.
Setting policy and compliance standards
You need to formalise policies specifically around BYOD. For example, will your policy include any and all devices currently available? Or will you limit use of personal devices to specific hardware and software platforms? What about devices that aren't yet available but could reach consumer markets in the next few years?
The handheld mobile device market is evolving rapidly and this means your BYOD policy needs to be adaptable. You should maintain written strategic policies based on what you know today and what you think will generally be available tomorrow. And you must apply technology that enforces your written policies to provide management, audit proof modelling, control and security.
Implementing a solution designed to verify that devices can be remotely managed to periodically "call home" can help you in the ongoing battle to keep security policies relevant and reliable, especially if you're in an industry with strict compliance and auditing standards. Also, being aware of the service plans your employees have can help you offer the best services while reducing cost. Using a data plan's hotspot or tethered options can result in an overall better experience for end users. Consider data-only plans for personal WiFi devices in place of maintaining home office long distance and ISP (Internet service provider) customer plans.
Seven steps to a BYOD security plan
Your company's security and BYOD can co-exist. And it starts with planning for it. Here's how:
1. Identify the risk elements that BYOD introduces: Measure how they can impact your business, and map the risk elements to regulations, where applicable;
2. Form a committee to embrace BYOD, which understand the risks. Include business, IT and information security stakeholders;
3. Decide how to enforce policies for smartphones, tablets, and portable computers connecting to your network;
4. Build a project plan to include remote device management, application control, policy compliance and audit reporting, data and device encryption, augmented cloud storage security, as well as for wiping devices when retired, revoking access to devices when an end-user relationship changes from employee to guest, and revoking access to devices when employees are terminated by the company;
5. Evaluate solutions and consider the impact on your existing network, as well as considering how to enhance existing technologies prior to the next step;
6. Implement solutions, beginning with a pilot group from each of the stakeholder departments. Expand the pilot to departments based on your organisational criteria, and then open the BYOD programme to all employees; and
7. Periodically reassess solutions: Include vendors and trusted advisors, look at roadmaps when entering your next assessment period, and consider cost-saving group plans if practical.
Implemented properly, a BYOD programme can reduce cost while increasing productivity and revenue. As BYOD goes mainstream in IT departments, security should be front and centre for users and IT administrators alike.
(Gerhard Eschelbeck is chief technology officer at Sophos, a developer and vendor of security software and hardware. He holds a number of patents within information security and is one of the world's foremost experts on vulnerabilities and network security.)