Though there is no 'silver bullet,' Malaysian firms must get to grips with managing the 'bring-your-own-device' (BYOD) trend in order to realise productivity gains while securing a distributed network of mobile and on-site devices, said network security solutions firm Fortinet's regional director, Southeast Asia & Hong Kong, Dato' Sri George Chang, during a recent interview with Computerworld Malaysia.
Photo - Dato' Sri George Chang, Regional Director, Southeast Asia & Hong Kong, Fortinet
Could you outline the current security risks in BYOD adoption and how they impact organisations Malaysia?
BYOD is another battle in the war between security and usability. End-users from the CEO down to employees want the ability to use personal devices for work purposes. At the same time, BYOD opens up numerous challenges around network, data and device security along with blurring the lines of privacy and accessibility.
The dilemma faced by companies in Malaysia is that while all of them want to be more productive, few have policies in place to adequately secure the influx of mobile devices entering the workplace. And without these policies, organisations have simply no choice but to prohibit the use of such devices, and consequently forego greater productivity and higher cost savings.
In a sense, we can empathise with enterprises' reluctance to embrace employee-owned devices. Generally, these devices are devoid of the most basic security features - such as anti-virus and password protection - incorporated in practically all workplace PCs. Meanwhile, the agility enabled by personal devices means that business critical apps can, and will, be accessed from any network in any location. This leaves a staggering amount of sensitive data on the devices, whose exposure could be highly detrimental to the business.
According to a recent Fortinet survey, a total of 350 mid-to-large enterprise IT decision makers in Asia, as many as 85 percent of respondents are concerned about their firms' ability to secure corporate data in this new user-led IT environment. Most companies are not confident of or do not have the means to secure personal mobile devices: About 67 percent of respondents say they only allow the use of corporate mobile devices onto which security policies can be directly enforced. Another 26 percent of enterprises place responsibility for securing personal mobile endpoints directly with the users/owners of those devices - a dangerous practice.
Are companies justified in banning BYOD? What are the pros and cons?
In a BYOD world, organisations are limited in their ability to force device users to conform to corporate policies. The case for banning BYOD is obvious. The overall security of the network will be less compromised while the network's bandwidth may be less strained. Banning BYOD may also reduce data loss associated with misplaced or stolen devices. With devices operating outside the confines of the traditional brick and mortar enterprise, the potential for data loss increases significantly.
Nevertheless, most companies also believe the benefits are worth the risks. Some of the most common factors cited in support of BYOD are productivity increase and cost savings. Organisations can save money by investing in less hardware and software.
There are also cost savings related to device maintenance. It's clear that organisations will have to put in a fair amount of effort to adapt and switch to a new way of supporting their employees if they decide to embark on a BYOD strategy.
What are the security policies and tactics to securely protect companies from BYOD risks?
In order to address the balance between usability and security, organisations are taking a variety of steps. While some draconian approaches (such as denying all personal devices on the corporate network) might be warranted for extremely secure organisations, most organisations want to adopt a BYOD policy that offers some flexibility for users while enforcing corporate policies and adopting best practices. In order to address these requirements, organisations are taking the following approaches to addressing BYOD challenges.
Most organisations first address the BYOD challenges through explicit policies. This is where the organisation should decide the extent of any BYOD programme. Some organisations will still choose to limit access to certain data or applications. An organisation may also choose to require employees to have specific software installed on their device in order to use a personal device on the network.
Sign up for CIO Asia eNewsletters.