Sep 07 2012

How Agencies Can Mitigate BYOD Risks

Heed these best practices to enable secure productivity inside and outside the office perimeter.

A diverse array of compact, powerful and affordable digital devices enables today’s growing mobile workforce to maximize productivity anytime, anywhere. Many employees check work e-mail throughout the day and into the evening to stay on top of pressing priorities, so they want to carry and use devices that offer the greatest functionality. More and more, workers are demanding the freedom to use their own devices for work-related tasks.

Successful workers migrate to tools, applications and solutions that help them do more. If security and risk-management policies and practices are perceived as making work more difficult, employees will exercise innovation elsewhere. Instead of stifling this innovation, enterprise risk management must follow in the footsteps of IT consumerization, enforcing appropriate security controls and encouraging compliance rather than mandating arbitrary restrictive measures.

If an agency’s policies and technology do not grant ambitious employees the freedom and flexibility to boost their productivity, those workers will create workarounds beyond the organization’s visibility and control in order to get their missions accomplished, adding a dangerous and unnecessary level of risk to the equation.

Today’s consumer technology provides a range of capabilities, including e-mail, travel-expense tracking, GPS, document storage and customer-relationship management, some of which are delivered in the cloud, making these services fast, convenient and cheap. Savvy enterprises recognize the benefits of helping dedicated and valuable employees fully leverage the power of personal smartphones, tablets and other technologies to increase productivity.

Today’s mobile workforce spends a lot of time away from the office, such as when working at remote locations or traveling, so employees are using tools and technologies that offer on-demand information access outside the physical workplace.

Provide Flexibility While Protecting Assets

How can organizations provide highly efficient workers with tools that increase productivity and maximize value while deploying security controls that protect information assets?

First, it is critical to identify the information that requires protection and determine how to protect it. Organizations need to do a better job of categorizing sensitive information and identifying the truly mission-critical assets. Data classification is often limited to only a handful of access-permission categories; much greater granularity is now required as part of the intelligence effort aimed at achieving effective risk assessment and management.

Start and Enable Versus Stop and Restrict

Rather than adopting a restrictive approach that focuses on locking down specific hardware or operating systems in the workplace, thereby curtailing innovation, an enabling management approach provides access to information at a quantifiable and acceptable level of risk, based on the organization’s requirements and culture. Enterprises should strive to maintain an appropriate level of control over data access beyond the organization’s physical boundaries, applying policies and employing tools to monitor and enforce information management across all devices.

Consider the organizational ecosystem and culture, and then customize information access by job role. Include accountability, and leverage a “trust but verify” approach to information risk management. Recognize that new threat vectors will emerge, and plan strategies to actively look for these threats throughout the information ecosystem.

Look at how the most productive employees are using smart devices, and determine what information they access to maximize their productivity. Prioritize mobile applications and users, and tackle the most important issues first.

Device management is a short-term, unsustainable Band-Aid. Applications should be the target for security measures, since that is where information can be managed broadly and most effectively. The one-to-one relationship between devices and device-management tools limits the flexibility of employees, contractors and business partners to work across organizational boundaries. Managing information at the application level enables realistic modern business practices.

After taking these preparatory steps, launch a pilot to experiment with an acceptable-use policy for specific devices used by the organization’s workforce:

5 Takeaways from the CIO Council's BYOD Toolkit

Click to read more.

  • Examine existing relationships and product and service offerings to determine the most viable user group to pilot new tools and technologies.
  • Train the team.
  • Draft security policies.
  • Measure results.
  • Plan for scalability and support.

Beware of rushing to adopt mobile-device management technology or implementing policies that might impede innovation. In an article earlier this year, security expert Lisa Phifer wrote that "organizations should not expect MDMs to magically keep a mobile workforce secure any more than a firewall can be expected to keep a corporate network safe."

Instead, organizations should focus on developing risk- and information-management policies for a flexible enterprise. They must establish processes to monitor and manage the business data and applications that reside on business-owned and personally owned devices throughout the information lifecycle.

Smart security practitioners and risk-management leaders will enable new technologies. They will create and implement scalable policies and iterative processes that evolve, based on lessons learned. Forward-thinking risk-management strategies will reflect effective information management and the adoption of appropriate levels of risk that encourage and leverage innovation and productivity.