While Bring Your Own Device (BYOD) has been identified as a prevalent trend in business, security concerns have been major hurdles to organisations embracing the change.

In a recent report, entitled Three Crucial Security Hurdles to Overcome When Shifting From Enterprise-Owned Devices to BYOD, information technology research company, Gartner, both highlighted and addressed existing security obstacles and offered their advice to companies.

The company began by explaining just how prevalent the BYOD trend actually is, citing a survey in which a whopping 70% of respondents stated that they already had or were planning to have BYOD policies in place within the next 12 months, to allow employees to use personal mobile devices to connect to enterprise applications.

Additionally, one-third (33%) of the companies surveyed were found to already have BYOD policies for mobile devices, such as smartphones and tablets.

All rights reserved

Gartner said that organisations must consider and take action on three major impacts when moving to a BYOD policy. The first of these is the right of employees to define their own usage policy for personal devices when they are outside the organisation's premises. While enterprises could limit applications and web access on enterprise-owned devices, users should be able to install apps and visit URLs of their choice, and decide the level of protection for their personally owned devices.

Gartner explained that when enterprise data is allowed on personally owned devices, the risk of leakage increases for the organisation. This is due to the rise of mobile malware; the fact that legitimate but unsupported apps may inadvertently create security risks for the organisation; as well as the risk of device loss.

However, the company explained that using mobile device management (MDM) software is one way to enforce policy on mobile devices. Users should obtain access to enterprise information only after having accepted an MDM agent on their personal devices, and possibly a URL filtering tool, such as a cloud-based secure web gateway (SWG) service, to safeguard and enforce enterprise policy on Internet traffic.

The data conundrum

The second concern revolves around the proliferation of devices with inadequate security.  Gartner elaborated thatallowing users, rather than the IT department, to select operating systems (OS) and versions of mobile devices opens the door to devices that are inadequate from a security standpoint.  

To address this, it encouraged that an essential security baseline should require enhanced password controls, lock timeout period enforcement, lock device after password retry limit, data encryption, remote lock and/or wipe.

The final concern highlighted – and answered – revolves around the user's ownership of their device and data. User’s privacy and the ownership of their data stands in the way of taking corrective action for compromised devices. Gartner pointed out that most people consider data on their personal devices as their property, and would strongly object to having it manipulated by the organisation without their explicit consent.

Gartner continued that, when shifting from enterprise to user-owned devices, remote wipe, which is a fundamental security feature in a mobile security policy, becomes complicated from a legal and cultural point of view.

Additionally, ‘selective wipe,’ in which business data, and only business data, would be deleted, was proving a difficult proposition.

Thus, it urged businesses to liaise with the legal department to avoid repercussions. Additionally, businesses embracing BYOD were encouraged to obtain the explicit, written consent of users to delete their data in case of compromises, or the loss or theft of devices, at the time of the user's initiation to the BYOD programme.

To the point

While many employees would likely welcome the chance to use their device of choice for their working lives, it’s clearly not a simple issue. However, Dionisio Zumerle, principal research analyst at Gartner summed it up nicely: “Shifting from an enterprise-owned mobile device fleet to having employees bringing their own devices has a major impact on the way of thinking and acting about mobile security,” he said.