BYOD: Will CIOs make investment in educating employees?

tablet user
Zakir Rangwala, country head at ESS Distribution, says many BYOD related studies conducted worldwide and in India show, that young people employed with organizations consider freedom to use their devices – smartphones, tablets, laptops – at work and remotely as their right and not privilege.

Some of CIOs would argue with that, the “Bring Your Own Device” (BYOD) trend has been growing tremendously in our country.

Trust in Computing survey, conducted by Microsoft in 2013 found that BYOD has gained wide acceptance globally with 78 percent of organizations allowing employees to bring their own computers to the office for work purposes, and 31 percent subsidizing purchases of employee-owned computers for work use. While Chinese companies were the most likely to allow BYOD (86 percent), Japanese companies were the least likely (30 percent).

India stood somewhere in between with 38 percent companies allowing personal devices to be used at work and also subsidizing their purchase, and 26 percent allowing them but not subsidizing.  A study conducted by Cisco and the Data Security Council of India (DSCI) the same year revealed similar statistics: 66 percent of security heads in Indian organizations encouraged employees to bring their own device to work and 44 percent allowed them select and use a specific set of personally owned devices.

These numbers would have grown even further by now since more and more companies around the globe and in India consider stopping providing devices to their employees and opting for better BYOD policies instead.

We as a security solutions provider view BYOD from the prism of security concerns. While realizing the potential of BYOD concept, especially in such countries like India with great smartphone penetration, bad road connectivity, public transport system and even worst traffic jams, we also realize the additional security threats BYOD is carrying along.

According to ESET survey of BOYD in corporate segment conducted in cooperation with Harris Interactive within the United States few years back, less than half of all devices in the BYOD category were protected by the most basic of security measures. For example, auto-locking with password protection was enabled by less than half of laptop users, less than a third of smartphone users and only one in ten tablet users, and encryption of company data was only happening on one third of devices.

There is little doubt that modern attacks using BYOD as a tool originate from multiple channels and therefore creating polices and managing secure configuration of devices can be a complex task. However, we believe, it is necessary to focus on basic and most predictable challenges: the physical access to the device, the mobile malware and threats using it as means to penetrate the corporate network, and social engineering.

The process of implementing an enterprise BYOD policy therefore should start from simple turning on auto-locking and password protection on all the devices employees bring to office followed by enforcing network policy on mobile devices, security scanning of mobiles and quarantine of non-standard devices along with encryption of communication and data.

Going beyond these basics, one should realize the challenges related to growing mobility and the shift to the mobile-cloud environment.  As more companies aim at creating unified platforms that empower their workforce to function on the move not just without any productivity loss, but even more efficiently, they are demanding such security products that will support this business process transformation without slowing down or interrupting the crucial processes.

Surveys conducted by us and our partners show that cost of technology or deployment is one of the most worrying challenges to security management in organizations, especially in small and medium businesses which often cannot afford deployment of mobile application management (MAM) and other third party solutions helping enterprises with expertize and budgets smoothen their transition to the mobile era.

The basic BYOD security policies can and should be adopted and implemented without significant costs involved. The only price to be paid is some amount of security awareness and employees education. Employees must be trained to protect their devices both physically and virtually. They need a basic understanding of mobile malware and social media scams used for social engineering attacks by cyber criminals trying to gain access to enterprise data. It is important to educate senior management as well since most of sensitive information stored on their devices.

Investing in training and education cannot save the company from cyber threats posed by BYOD or replace a solid security policy with effective risk-control measures. However, the cost of not taking even such small steps towards secure BYOD environment can be much higher at a time when company faces a security breach. As we often hear from our security engineers, the largest threat for company’s IT infrastructure and data safety are employees who have no idea about security concerns and measures that can be and must be taken at an individual level to prevent possible security disasters within organization.

Zakir Rangwala, country head at ESS Distribution

ESS Distribution provides security solutions in Indian market designed to protect small, medium and large businesses, as well as individual users.