The mobile revolution has had wide-reaching effects on how businesses operate. But one of the most complex developments for those in charge of a company’s IT provisions is the growing popularity amongst employees of using their own kit, which has come to be known as bring your own device (BYOD). This brings up some significant implications for security and data management, which require rethinking the way your company addresses these issues.
Before BYOD, employees would work using computers at their desks, supplied by the company, or at least use company-supplied notebooks. So controlling data security was a much more uniform task than it can be today. The systems administrator could specify a limited range of devices that employees would use, dictate what software was being run on them, and roll out updates in a systematic fashion. This meant that devices could be kept secure, with protective patches and software installed to make sure things stayed this way.
The growing popularity of notebooks added a few extra difficulties to this model. The new flexible workplace means your employees might be using their devices at home, while travelling, or in a public space. This greatly increases the chances that they will lose their mobile device or have it stolen. They will also be quite likely to be using their notebooks over public networks, which opens up yet another area of insecurity that wasn’t an issue when employees were tied to a desk in your own private office building. The rise of the smartphone and tablet have made workforces even more mobile.
But BYOD takes this situation and amplifies it by an order of magnitude. When employees are using their own equipment, the systems administrator naturally has no control over the platform these devices use, and not much more over what software is being run on them and how they are kept secure. BYOD has grown in popularity, because it means employees can use, for example, the latest iPad or Android smartphone instead of a staid corporate notebook or business-issue feature phone. This means that a number of different platforms will need to be supported. Microsoft has tried to provide an answer to this with Windows 8, which offers a uniform management possibility for tablets, notebooks and desktops, with some extension to Windows Phone as well. But most employees would still rather have an iPad than a Windows 8 tablet.
Whether mobile devices are business issue or supplied by the employee, the fact that important business data could be stored on board will be a problem if they are lost or stolen. With company-supplied devices, you can at least impose password or passcode protection, and even specify systems that include biometric security, where a user’s fingerprint is required in lieu of or in addition to a password. Intel-based systems can incorporate a hardware chip called a Trusted Platform Module to store these security keys. With BYOD, conversely, security is more a matter of culture and training. It will be fundamentally important to get employees to buy into the idea that enabling password protection on devices used for business is imperative, and not with weak codes like “password” or “1234,” either.
This is far from infallible, however. With a notebook, for example, data could easily be retrieved by removing the hard disk and putting it into another system. Fortunately, for users of Windows systems there is some defense against this tactic. The Windows NTFS file system supports encrypted folders, which won’t be readable unless the user has correctly logged in. These are not enabled by default, and care needs to be taken that a user isn’t locked out of their own data due to forgetting a password. But turning on folder encryption can give piece of mind that casual theft or accidental loss of a device won’t leave sensitive information in the wrong hands. Business data that is replicated elsewhere could be encrypted, while personal information on a user-owned device could be left unencrypted, to make password loss less catastrophic. Enabling Windows NTFS encryption is a simple checkbox in the Properties of a Windows folder, with access then controlled by the user policy.
However, this kind of folder encryption is only available on Windows, and neither Android nor Apple iOS devices have it built in as standard. So a different strategy will need to be taken to protect devices based on these platforms. Again, with BYOD this will be a cultural and training issue rather than something that could be strictly enforced by a systems administrator. But urging employees to install and use an application like Find My Phone can add a layer of security. Find My Phone is available for Android, iOS and Windows Phone. Apart from the ability to locate a lost phone, Find My Phone also offers the facility to lock the handset remotely, so nobody can gain access to it, while still allowing it to be tracked. With Windows Phone, if the handset has clearly been stolen and will not be retrievable, there’s an option to erase all data remotely as well.
Viruses and malware are another threat to all computing devices. Users of non-Windows devices tend to boast that Windows is the biggest risk, but in fact Macs can also be susceptible, and even iOS and Android have been targeted, albeit infrequently. The locked nature of iOS app installation does make it more difficult to attack, but not impossible. So, again, employees should be urged to take protective steps when they use their own mobile devices for work. The Avast! antivirus suite is available for Android as well as Windows and MacOS. For iOS devices, there’s VirusBarrier, which is also available for Windows and MacOS. Providing these for your BYOD employees and urging them to use the software will help reduce their vulnerability.
Losing a device is the biggest threat to productivity, however, as it will mean losing the data stored on it, as well as the capabilities of the device itself. So in tandem with keeping the devices secure, it’s imperative that BYOD employees keep the business documents, contacts and calendars on their devices backed up. Contacts and calendars can be synchronized with a desktop, but using cloud-based systems for document storage provides the most flexibility. Google calendars can be synchronized with most schedule software, and while it may not be ideal to keep all business documents in the cloud, many of the leading commercial cloud providers allow a local folder to be synchronized with the cloud, so that its contents will be available from any device with an Internet connection.
Although Google Drive also comes with the ability to edit its own-format documents via a Web page, you can also place any documents you like in the Drive, so they will be synchronized with the cloud. The app is available for all the main platforms – Windows, MacOS, Android, and iOS. The Dropbox app similarly provides a folder that will be synchronized to the cloud, with equally wide platform support. Sugarsync goes a bit further, allowing you to choose local folders on each device on which it is installed that will be synchronized to the cloud whenever an Internet connection is available. Using any of these will mean that BYOD users won’t lose their documents if they lose their device, and accidentally leaving it behind won’t be the end of the world either.
Larger companies can go one step further and provide access to internal network resources via a virtual private network (VPN), although this will necessitate a decent Internet connection. The VPN will mean that data can be kept securely stored on the company network, where it will remain even if the device accessing it is lost, and corporate backup strategies can be applied. The connection between device and server uses strong encryption, so public networks won’t be a threat. Windows has had its own VPN system built in since version 7 called DirectAccess. This was further enhanced with Windows 8 and Server 2012. The benefit of this to users is that DirectAccess resources will become active automatically whenever the connection is available, making usage essentially transparent.
Extensive use of VPNs and cloud services can be a significant drain on network resources, however. Legacy 802.11g wireless over broadband and 3G may not be sufficiently quick to make these services pleasant to use, particularly when remote desktops are required. Even 802.11n Wi-Fi might not be up to the job, and 802.11ac is still in the early stages of rolling out. As an improvement, Wireline technology can be used to send faster and more reliable networking connections over existing power, telephony and coaxial cabling, either to individual devices or to take wireless access points to closer proximity to wireless users. This makes could services and VPNs much more viable for remote offices, so these strongly secure systems can be utilized with user-supplied devices, reducing the impact of the reduced control over their management and security for your systems administration.
The BYOD phenomenon has been a slightly unexpected complication, amplifying the issues already inherent with mobile workforces. Flexible working has great potential to improve productivity and employee work satisfaction. The ability to choose your own phone, tablet and notebook has also been cited as a significant factor in making employment conditions attractive. But this has made life more difficult for keeping user devices secure from malware and their data properly backed up. Ensuring secure passwords are used, and providing employees with software and services that promote security, can make BYOD the positive development it really should be.
This article originally appeared on ITProPortal.com.