The Inquirer-Home

Lack of enforced encryption and Apple ID woes among top 10 BYOD pitfalls

Security fears grow as more use it
Thu Aug 21 2014, 11:08
Gartner says security of mobile devices will continue to be an issue

AS BRING YOUR OWN DEVICE (BYOD) continues to become more accepted by businesses in every sector, mobility management company Fiberlink has identified 10 pitfalls that IT Managers need to be aware of when adjusting to the practice.

Fiberlink senior customer success manager Kumar Ananthanarayana has offered insight into each one.

1. Not Communicating With Employees
By failing to communicate effectively, the less tech-savvy get left behind, and engagement decreases. Ananthanarayana suggests leading by example.

"A BYOD rollout should flow downhill. Executives should enroll their devices first, communicating the capabilities and privacy features before deploying throughout the organisation. That way, employees are aware of what the solution can actually do before they are using it themselves, and see that the management team is committed to implementing BYOD."

2. Not enforcing passcodes on devices
When people are bringing their own devices, these are potentially the same ones that they take out to the pub on a Friday night. If it goes missing in the taxi home and the data is left unprotected, what then?

"Although it seems self-explanatory, many companies overlook this key step in making sure a BYOD program is successful. Once devices are enrolled, be sure to enforce passcodes with a relatively high level of complexity to keep that corporate data safe from prying eyes."

3. Not protecting Activesync
Following on from point 2, Activesync works on most devices but offers no information on who actually is accessing the information. Ananthanarayana suggests a more robust Enterprise Mobility Management (EMM) solution.

"If a device is lost, administrators have to rely on employees to tell them, giving thieves plenty of time to access sensitive corporate data. With an EMM solution, administrators are enabled to manage devices in the cloud, auto-quarantine devices and approve or block devices in the cloud."

4. Not managing email profiles
What happens when an employee leaves the business, with an email profile set up on their device?

"Oftentimes, email profiles remain active even after an employee leaves a company, leaving sensitive information exposed. To combat that, most administrators are faced with completely wiping devices. With an EMM solution, however, administrators are able to configure and manage profiles, meaning they can selectively remove the profile from a profile device without touching the other information on the phone."

5. Not enforcing encryption
Amazingly, many companies still transfer information "in the clear", making any man-in-the-middle attack a cinch.

"Encryption exists to protect data in that case, but unfortunately many companies do not take advantage of it. Thankfully, there are various encryption options for IT administrators to consider, whether it's the whole device or just a corporate container."

6. Not providing education/training to end users
Many users will be resistant to the idea of their personal devices being subject to monitoring. If organisations don't have an open dialogue, that situation is likely to be made worse.

"Administrators stand to gain important insight from some of the most sensitive tools, such as keeping lists of downloaded apps and keeping track of the location of a device. The key here is to communicate openly with employees and let them know what is being tracked and to allow them to opt out if desired."

7. Not setting minimum requirements on OS versions
Not everyone sits outside the phone shop, or hovers over the update button when a new OS version is due. This can cause compatibility and security issues.

"Older versions may have vulnerable apps or information, making any older device a weak link. To combat this, administrators need to be able to monitor and enforce updates, and be able to employee tactics like blocking emails if devices are not updated."

In our report on Camden Council's BYOD policy, we pointed out that there were still people using Psion Organisers and old-school Windows Mobile devices, proving the case in point.

8. Using the same Apple ID for everyone
If everyone is using the same Apple ID, which happens more that you would expect, it can cause all kinds of problems.

"Some organisations still do this, making it difficult to identify devices and control app purchases. Administrators need to enforce separate IDs for each user, and should push apps to individual IDs."

9. Not restricting corporate data flow
By using cloud file-sharing apps such as Dropbox and Box, unless set up correctly it is very easy for users to transfer internal documents.

"The key here is to integrate fully with a container based approach where content is directly pushed to a container app on the device that can be controlled by restrictive policies. That way, administrators can remove corporate content on-demand from these devices without having to worry about data leak."

Dropbox and Box have both recently expanded their business offerings with an eye on data security.

10. Not doing due diligence when considering BYOD
Why do you need BYOD in the first place? Are you doing it because everyone else is? What are the repercussions of an implementation likely to be?

"Administrators need to be sure that EMM is meeting needs and not impeding them, and evaluate and identify the requirements of workers before moving forward."

According to a recent Mckinsey study, it is estimated that two thirds of devices are used for some sort of enterprise activity, usually just retrieving company emails, but with the rise of the tablet, the flexibility of users to do a large variety of work on a their own devices leads to more opportunities for security breaches, so IT Managers have to exercise caution to ensure corporate information is secure.

For more information about Enterprise Mobility, visit the Intel IT Center. µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Microsoft's Windows 10 Preview has permission to watch your every move

Does Microsoft have the right to keylog users of its Windows 10 Technical Preview?