There is no way around it: the modern workforce is mobile and relies on CXOs to deliver enterprise security in the clearest way possible—no matter where they find themselves. CXOs need to embrace their businesses operational models and define strategies to secure critical data.
Most IT decision makers (ITDMs) are confident they have it covered. According to Code42’s 2016 Datastrophe study, 65% of ITDMs believe their companies have a clearly defined BYOD policy in place. The figure is even larger amongst CIO and CISOs, with 87% thinking so.
With that in mind, the following may come as a shock. More than two thirds of knowledge workers—end users in your organization—disagree; 67% say their company does not have a clearly defined BYOD policy in place.
At this point alarm bells should be sounding. This divide establishes one of the most important attack vectors you should be addressing. So, why is there such a divide between how BYOD policy is perceived to be implemented by security professionals and how knowledge workers report it to be in their daily lives, and how can you bridge that gap?
Deep dive into the facts
First, we need to look at the facts. The number of endpoint devices which employees use on a daily basis has exploded: smartphones, tablets, second smartphones, personal laptops, etc. In fact, 26% of knowledge workers report that they are issued with at least two corporate devices by an employer, and one in twenty say they are provided with five or more.
This is a dramatic change from just a few years ago, when many workers had single stationary devices that were safely connected to the enterprise within a firewall. It does make it all the more important that companies have an easy-to-follow, and closely adhered to BYOD policy—particularly if you consider that around 47% of corporate data is now held on the endpoint.
It does not take much to see the potential disaster that lurks here; any disparity with employees on BYOD security is a high-priority issue. For example, a new report by the Institute for Critical Infrastructure Technology (ICIT) warns that poorly protected endpoints are particularly vulnerable to ransomware. Of course, there are ways to safeguard these devices, such as continuous and comprehensive backup and recovery solutions, but if this is not present, consider the potential damage that could be done. Vulnerability at the endpoint, with so much critical data now residing on it, is not a risk worth taking.
The psychology behind the divide
To get to the reasoning behind the divide, take a moment to think about the perspective of staff members. For employees not clued up on the intricacies of information security, BYOD means increased flexibility and seamless travel between devices. It means increased convenience. What it does not mean, even for the most well-intended employee, is the additional chore of continuous manual security. From that viewpoint, the flexibility offered by BYOD almost removes itself from the security guidelines applying to on-premise devices.
But IT decision makers can also use that realization to their advantage. On the one hand, training should focus on how flexibility must be paired with security. On the other, to ensure compliance, ITDMs need to put employee habits and needs at the core of a practical BYOD policy.
As employees learn to benefit from BYOD, it is essential to track behavior and gain insight into which apps and data they access most from various endpoints. Is it just email or does it extend to mission-critical documents? How safe are the apps accessed, and should they be supported in your environment?
Most importantly, ITDMs must work together with employees to map their data needs, priorities and uncertainties, and give clear guidance if and how users are allowed to mix personal and company data. This is something I do not recommend but is often the human behavior we need to address.
Putting security, and clarity, in place
IT decision makers may ultimately decide and implement policy, but at the end of the day, employees will work and act within, or at worst outside of, that framework how they see fit.
To make BYOD work for enterprise security, more resources need to be put towards education and consistent communication. Informed end-users are more likely to change poor behaviors and as a result of changing habits, the enterprise will be more secure. At the same time, ITDMs need to ensure that their company’s BYOD policy keeps pace with an ever-changing working landscape.
It may seem like a mammoth task, but it need not be. Start with a health check and establish clear and open communication across all levels of the organization, including the end-users. When onboarding new employees or refreshing training for existing staff, make sure it is delivered from their perspective. Employees and general managers should also help develop guidelines and lead by example.
Taking these basic first steps will go a long way in making BYOD a credible, transparent and, most of all, secure way to work. BYOD is here to stay, so do not deny the divide.