“As more employees seek to use their own devices in the workplace, Darragh Richardson of Agile Networks has some advice for employers on reducing the risk to IT network security from ‘bring your own device’”
Author: Darragh Richardson, managing director, Agile Networks Ltd
‘Bring your own device’ (BYOD) has grown steadily from IT marketing hype to reality as more and more employees turn up to work demanding IT access with their own devices, such as smartphones, iPads and laptops. Clearly, there are some obvious benefits in potentially saving costs (not having to buy them expensive phones and tablets) and increasing employee satisfaction. But what is the impact on the IT department, as this creates a whole new world of things to worry about?
The main concerns are twofold – firstly, ensuring that you know who is on your network and, secondly, ensuring that the devices your employees bring are clear of the myriad viruses that are out there. Issues that may arise if this is not done correctly include obvious security risks around viruses, malware and breaches to data.
On the other hand, if you design a system that locks out mobile users, they will at best feel frustrated and at worst try to find way around it, which could prove even more damaging.
So, how do engineers responsible for the network ensure employees aren’t bringing potential security risks into the IT network? These six steps allow BYOD to deliver on its promise without wasting a lot of valuable engineering resource on fixing problems, policing users or exposing the wider IT network to security threats:
1. Specify what devices are permitted
Be clear about the difference between BYOD and COD (corporate-owned devices) and restrict access accordingly. Employees are less likely to download random apps from less trusted marketplaces on CODs. Additionally, IT can install security software on CODs and gain tighter control compared to employee-owned devices.
It is important to decide exactly what you mean when you say ‘bring your own device’. Should you really be saying, bring your own iPhone but not your own Android phone? Make it clear to employees who are interested in BYOD which devices you will support and which you will not.
2. Establish agreed security principles for all devices
Employees do not like having passwords or lock screens on their personal devices. They see them as a hurdle to accessing content on their device. However, this is not a valid complaint—there is simply too much sensitive information available to smart phones on your IT network to allow unfettered swipe-and-go operation of these phones.
For example, insist on all devices having an approved mobile antivirus solution to provide a first line of defence, and network access control (NAC) to increase security by dynamically changing network access rights, therefore limiting the reach and potential impact of an infected device on the network.
3. Define a clear identity policy for all BYOD devices
To protect data moving across wi-fi and cellular networks, you need to combine two elements: ensuring devices are on a virtual private network (VPN) and that there is some form of identity-based authentication. In other words, at a minimum you should ensure users have to enter some form of password or electronic token to access information.
Consider SSL VPN solutions that include built-in device integrity checking, single sign-on and application support, and client as well as client-less implementation. VPNs can also be used to safely backhaul traffic through network web proxy or filtering solutions that are able to block IP addresses related to command-and-control botnet sites.
4. Mitigate the risk of malicious apps
Beyond concerns regarding who controls the device, there is a growing awareness that mobile applications sometimes have excessive data access and are a threat as a back door for network breaches and compromising data confidentiality. Rather than relying on standard device-level VPNs, consider application-level VPNs as a way to cordon off traffic coming from non-business critical mobile applications onto the corporate network.
5. Decide what apps will be allowed or banned
The question here is whether users can download, install and use an application that presents security or legal risk on devices that have free access to sensitive corporate resources. What if the latest Twitter app has a security hole in its integration with the Mail app on the iPhone that allows spammers to access relay mail through your organisation? (This is purely hypothetical, of course.) What if a poorly written instant-messaging client steals your organisation’s address book?
Major considerations typically include applications for social media browsing, replacement email applications and VPNs or other remote-access software. You should implement solutions that help control what is downloaded on devices connecting to the company network. This may require solutions that support application blacklisting, and application whitelisting for highly sensitive environments, to disallow or restrict any device with unapproved mobile applications.
6. Set up an employee exit strategy
Do not forget about what will happen when employees leave the company. How do you enforce the removal of access tokens, e-mail access, data and other proprietary applications and information? You should have a clear methodology for backing up the user’s personal photos and personally-purchased applications prior to an exit wipe.
Proactively reach out to help staff take part in this process, while making it clear that you reserve the right to issue a wipe command if the employee has not made alternate arrangement with you, prior to his or her exit time.
In summary, BYOD has the potential to increase productivity, increase employee satisfaction and reduce costs. But to achieve this you need a clear set of rules so that everybody knows what is expected and what isn’t allowed. If your company does not have the in-house expertise, seek help from a third party – and most of all, make sure that the broader business is aware of the impact this will have across the entire corporate network.
Agile Networks designs, builds and supports complex IT networks and is headquartered in Blanchardstown, D15. It was set up in November 2011 after senior members of the management team successfully staged a management buy-out of Telindus’ Irish operations and has since grown its revenues by over 500%, winning several high-profile contracts with companies such as Digiweb, Three, Magnet, HEAnet and the RDS. The company supports 50 customers across more than 500 sites with almost one million people using networks supported by Agile Networks. It was voted ‘Best Start Up of the Year’ at the 2013 ICT Excellence Awards and was recently one of 14 National Champions chosen to represent Ireland at the European Business Awards.
Agile Networks has been named as one of the 100 companies from across Europe as finalists in the 2013/2014 European Business Awards. The competition recognises and promotes excellence, best practice and innovation in the European business community. Four Irish companies have been selected from 375 National Champions in 31 European countries for the Ruban d’Honneur, which qualifies them for the third and final round of the competition. Agile Networks was selected as one of ten European finalists in the ‘Award for Customer Focus’. The overall category winners will be announced at a gala event on May 27 in Athens.