As the BYOD (Bring your own Device) policies grow in popularity, handling security for employee-owned smartphones and tablets continues to provide a major complication for organizations. According to one expert, current policies that stress antivirus software and IT process monitoring may be missing the point as to what matters when it comes to protecting corporate assets from mobile threats.
In a keynote presentation at the International Conference on Malicious and Unwanted Software, Jerry Jean, Chief of IT Security at McGill University Health Center, explained that the primary concern of any organization should be data protection, ITProPortal reported. Rather than worrying about mobile security at a device level, Jean said, IT professionals should be asking how they can protect their data – which is their most valuable resource.
"Whatever security you want to apply should take the device out of the equation,” he said, according to ITProPortal. “Do I care about the device, or about my data? Make sure you protect what's really important to me, the data."
Jean stressed that any instance of users adopting technology outside of what has been sanctioned by IT represents an area where existing solutions have failed. Devices such as smartphones fill a niche that users want filled, and IT departments should enable that. In order to do so, he said, security staff need to think in terms of risk management rather than comprehensive risk elimination, which may be an unrealistic goal.
In a practical setting such as a hospital, certain core functionalities may override security risks, Jean said, since peoples’ lives are at stake. Security software updates that require a simultaneous reboot of 10,000 computers across a network could create a system-wide headache that saps employee support, he said. Alternately, for instance, the benefits of giving a nurse a smartphone to report patient vitals may outweigh the risk of a security breach, since an attack on such a device is not likely to occur.
“If I tell my bosses there's a security issue," Jean said, according to ITProPortal. "I have to relate it to patient care. How many will suffer? If there's nobody dying, I don't have too many concerns."
In some cases, the risk is low enough to be acceptable. He added that organizations need to understand the risk factors at play in their area of business and adjust their data security policies accordingly. Jean also claimed that protecting data is increasingly supplanting protecting devices as the preferred best practice.
Degrees of protection
Given the nebulous nature of BYOD-related threats, there are many competing theories for how best to balance productivity, employee satisfaction and security oversight. Many organizations still have no approach at all. The PricewaterhouseCoopers 2012 Global State of Information Security Survey found slightly less than 45 percent of organizations have a mobile security policy in place. Few were compensating by protecting their data elsewhere, either, as only around 30 percent reported having a cloud security strategy.
An August 2012 study by the Aberdeen Group analyzed the success of four levels of mobile device management, ranging from a conservative approach that deployed enterprise-owned devices with support for remote wipe to a liberal approach that let users bring their own devices with no corporate remote wipe control. The study found that the frequency of data loss or exposure of the most liberal policies was nearly four times greater than that of the most conservative policies, according to CIO.co.uk.
For many organizations, then, adopting a risk management approach that assumes employees will benefit from having devices no matter the circumstances may not be effective. Nonetheless, by implementing data security measures that extend beyond the device, organizations may mitigate the risk associated with individual vulnerabilities.
Data Security News from SimplySecurity.com by Trend Micro