Recently, CompTIA announced that 53 percent of private businesses do not allow BYOD at all, which is up 19 percent (from 34 percent) since 2013. We sat down with Jim Rhodes, Mobile Solutions Supervisor at AppRiver to discuss mobile BYOD pain points that may be contributing to the mass exodus from BYOD, as well as offer considerations and suggestions for companies who choose BYOD plans.
What do you think is causing the trend of companies shifting away from BYOD? Security? Legality?
“It’s probably a combination of both. When it comes to mobile devices, the primary goal of the employer is to secure the company data that resides on that phone. With BYOD, the administrator has less control over the device. A user can jailbreak/root the phone, use public open Wi-Fi, unknowingly install malicious apps from more obscure app stores, etc. On the legal side, it can get tricky if an employee is terminated and the company data needs to be deleted from the phone. Simply sending a wipe command could also end up deleting personal data (texts, pictures, email) which a company could be held liable for.”
What, if any, are the advantages of BYOD?
“I think the most popular reason companies choose this option is that it is cheaper. They don’t have to purchase the device or pay the monthly charge or worry about upgrades in the future. The user gets the phone he or she wants and has ultimate control over the service options and monthly cost. In addition, the phone stays with the employee if he or she should ever leave the company.”
Do you see any advantages of the new trend of CYOD?
“CYOD allows administrators more control over the device and the data that resides on it. Devices can be selected for the CYOD program based upon the security policies they support. For instance, not all phones recognize the policy option where the device’s camera is disabled. The company can elect to only offer phones that support this policy.
“If you maintain ownership/control of a device, it easier to configure them for business use, install MDM software, and monitor its status on an ongoing basis.
“Finally, in the event a device is lost or stolen, the company can issue a wipe command to the device without concern about the loss of personal data, since the phone was issued for business purposes.”
Jim also has the following security advice for companies who are embracing BYOD:
- Identify situations where company data could be at risk. These could include:
- Loss or theft of the device
- Personal Web browsing that leads to malicious sites
- Clicking links from unknown sources in personal e-mail accounts
- Installing malicious applications
- Rooting (jailbreaking) the device
- Installing custom ROMs
- Using the device on public Wi-Fi connections
- Prohibit mobile device connection from the corporate network. This is because sensitive information about your company will be stored on an employee’s personal device and it is impossible to have complete control of the device. Instead, use secure connections (e.g., HTTPS, VPN) when connecting to company resources. This will protect data when using an unfamiliar network, such as public Wi-Fi.
- Grant IT admins access to manage devices remotely. If you are going to grant access for multiple mobile operating systems, you may need more than one mobile device management solution. Some solutions will allow more control of the device than others. For instance, Microsoft Exchange ActiveSync and BlackBerry Enterprise Server allow more options to lock down the device as a whole. Other options, such as Divide or Good use a containerization approach where a suite of business apps is the only thing that is managed, leaving the user’s personal data untouched.
- Require passcodes and on-device encryption. Passcodes should be mandatory to unlock a device (or at minimum business applications and data), while on-device encryption should be required for sensitive data.
- Block apps from downloading from unknown sources. Although not perfect, official marketplaces do have processes in place to weed out malicious applications.
- Consider creating an approved-device list. Some devices do not allow for the enforcement for some of the policies mentioned above.
- Give careful consideration to allowing devices that have been rooted (jailbroken). These devices have had the permissions level for the user elevated to where they can modify parts of the operating system that are normally protected. A rogue app can exploit this and access sensitive data.
- Consider using a cloud storage solution for company data, when possible. This will make backups easier and minimize the impact of a lost or stolen device.
- Implement a formal corporate mobile BYOD policy. A clear and concise mobile device security plan will also set employee expectations. In the plan, identify which devices are supported and the procedures to protect corporate data, including mobile device management software that should be installed and the consequences if it is uninstalled without permission. The plan should also address how business data will be backed up, while clearly spelling out that it is not the company’s responsibility to back up employees’ personal data.
- Detail the use of remote wiping, including expectations of how personal data will be affected in the case of device theft or loss.