by clicking the arrows at the side of the page, or by using the toolbar.
by clicking anywhere on the page.
by dragging the page around when zoomed in.
by clicking anywhere on the page when zoomed in.
web sites or send emails by clicking on hyperlinks.
Email this page to a friend
Search this issue
Index - jump to page or section
Archive - view past issues
Connexus : Issue 43
Making BYOD secure The security risk in allowing employees to use their own computing devices at work can be minimised by having the right policies and guidelines. BY CYNTHIA KARENA Employees are rewriting the rules on computers in the workplace by bringing their own smartphones, tablets and laptops to work and connecting them to corporate networks. The trend, known as Bring Your Own Device (BYOD), has many benefts. But it also raises concerns including the potential to compromise the security of corporate information. "Employees have a lot of devices they are happy with and happy to use at work,” says Leanne Vale, fnancial crimes senior manager at the Customer Owned Banking Association. "If employees can bring their own device, it gives them choice and fexibility in how they do their work. "BYOD also frees up resources that can be invested in other ways. It costs less for an organisation if employees bring [and support] their own devices." However, Ian Yip, of security software frm NetIQ, says the practice breaks with the tradition of IT departments being in full control of security. "BYOD forces IT to cede much of the control while attempting to maintain the same level of security," he says. Nonetheless, BYOD is here to stay because employees are probably bringing their devices to work anyway, says Paul Ducklin, of security frm Sophos. "The downside of letting personal devices onto the corporate network, or allowing them to access and store organisational data, is obvious," he adds. "They are notoriously easy to lose and notoriously badly secured." Pre-emptive solution The solution is for organisations to identify and deal with any potential threats before they happen. "Typically, the device will connect to the network and, before access to enterprise systems is granted, any malware or anomalies will be detected and access denied," says Ted Egan, of security frm ThreatMetrix. “You need to validate the security health of a device so no third party can get through the back door -- through apps, for example." All employee devices must have good virus protection and only approved apps should be used in the workplace, says Vale. For example, organisations (including IBM) commonly turn off Apple's voice-activated personal assistant Siri because Apple stores all the data. The fow of sensitive data out of the organisation is the biggest challenge for customer-owned banks, says Yip. "Ensuring that the right people get access to the right information at the right time from the right device is challenging, but it is critical in ensuring that [customer-owned banks] don't end up with the privacy commissioner or regulators on the doorstep, asking questions about data exposures," says Yip. "Understand that BYOD is not about managing devices. It's about managing mobile employees." Organisations need to have well- thought-out policies and guidelines so employees know, says Vale. "Human resources and IT departments need to get together to set up policies. It's important to print off the policy for employees, who then need to sign it." Control trade-o BYOD needs to be a two-way street, with employees agreeing to give up some control over their personal devices in return for getting access to corporate data, says Ducklin. "That might mean you get the right to perform a remote wipe in an emergency. That you require your users to have complex passcodes, even though they fnd it inconvenient. That you won't let them on the network if they have jailbroken or rooted their device." In a jailbroken or rooted device, the Resources Contact email@example.com for a customisable BYOD policy and webinar template pack covering legislative, people management and IT critical components. 38 Connexus Technology