Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Look at risk before leaping into BYOD, report cautions

John P. Mello Jr. | Sept. 19, 2013
Risk management critical to skirting pitfalls of permitting personal devices in the office

Before rushing into allowing employees to do their jobs on their personal devices, organisations need to diligently address the unique risks of that practice, cautioned a report by an international cybersecurity information organisation.

When businesses push Bring Your Own Device (BYOD) programs into place too quickly, risk management is often neglected or rushed, leaving organizations with both unknown and unnecessary risks, the Information Security Forum reported on Tuesday.

For organisations to be successful in the era of mobile devices in the workplace, risk management must be the foundation of any BYOD program, the report added.

"The use of personal devices to store and process sensitive information continues to rapidly affect the way we do business," ISF CEO Michael de Crespigny said in a statement.

"At the same time," he said, "it means organisations are easily exposed to new and more complex threats from stolen, lost or destroyed data, malware and other attacks if the device is not securely used and protected."

Personal devices can be challenging for IT departments because they may be used in ways that wouldn't be allowed if the device were owned by the company.

"By putting the right business practices and usage policies in place now, organizations will benefit greatly from the flexibility, increased productivity and reduced costs that mobile devices can bring to today's workplace, while minimizing exposure to potential security risks," de Crespigny said.

IT may be accused of currying favor with users at the expense of risk management, but BYOD is a new world for them, too. "It's a completely new shift in how they have to be thinking about their end users,"  said Gregg Ostrowski, senior director for enterprise developer and tech partnerships at BlackBerry.

BYOD also opens up issues that requires IT planners to reach beyond their bailiwick's walls. "You have to involve human resources and legal in the process," Tenable's CEO, Ron Gula, said in an interview.

"If you're going to put any technology on any device that you don't control, and you don't think you're not going to create some liability for your company, you're wrong," Gula said.

Any BYOD management program, however — even one weak on risk management — may be better than no program at all. "There isn't an option for companies not to have a mobile strategy," said Caleb Barlow, an application, data and mobile security director for IBM.

"Not having a mobile strategy just means your information is going to leak out of mobile devices outside your control," Barlow said.

Still, it's estimated that anywhere between 60 and 80 percent of companies have no formal BYOD policy.

"It doesn't matter if it's 60 or 80 — there's a lot of companies that don't have formal BYOD programs today, yet their employees are using their phones and tablets for work, and the IT department doesn't know it or chooses to ignore it," said Anders Lofgren, director of mobility solutions at Acronis.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.