Bring your own device (BYOD) is sometimes oversimplified. It sets organisations free from technology budgets, the story goes. There was a time when the market for devices such as smartphones was business-driven, but now they're must-have consumer accessories and as such, everyone has one. This has brought about new security challenges, but surely it's no more difficult to manage an iPhone than a corporate-issue BlackBerry or laptop?
The answer is no - it's not that simple. In sectors such as financial services, the risks linked to BYOD are substantial - perhaps enough to bring enterprise-scale organisations to their knees.
There are a multitude of reasons financial services providers need to exercise extreme diligence when handling financial data. They're bound to comply with mandates such as the regulations set out by the US Dodd-Frank act and UK Financial Conduct Authority (FCA), oversee thousands of transactions involving sensitive information, and, for obvious reasons, are a top target for cybercriminals.
With these factors in mind, it's critically important for the sector to recognise that BYOD has complex and sometimes hidden implications. Collectively, these call for watertight policies to govern how personal devices are used for work. But do organisations understand the risks? Do they see the problem holistically, or are they taking an unsystematic approach? Or perhaps they think ignoring BYOD will make it go away?
BYOD - facts and fictions
If the last of those definitions applies to your business, you're on dangerous ground because BYOD isn't going anywhere. According to recent International Data Corporation figures, 95 per cent of people have used consumer-grade technology for work. Furthermore, Ovum has found 80 per cent of professionals will use at least two personal devices to access corporate networks by 2014.
Gartner, meanwhile, forecasts the impact of BYOD will be so huge that 38 per cent of organisations will stop providing devices to workers at all by 2016.
If you haven't already adopted a BYOD strategy, these forces could be catastrophic for your business. Think your employees might be doing something risky with their devices? They probably already are!
One solution might be to pull the plug - order an outright ban of consumer-grade smartphones and tablets until you've found a way to deal with them properly. Unfortunately, this risks so-called shadow IT setups - scenarios in which employees use technology under the radar because they're unwilling to forego the benefits of BYOD.
The dangers of uncontrolled devices
Allowing workers to use personal devices on corporate networks is a fundamentally risky proposition. This is partly because people are prone to losing smartphones and tablets - look to Trend Micro's Culture of Carelessness survey, for instance, which found 27 per cent of UK employees had misplaced as many as three devices used for work.
Furthermore, the modern mobile market is a fragmented one. Will your IT budget stretch to solutions for all platforms? More to the point, do these solutions even exist? Remember, things have changed since the BlackBerry days - sending email and browsing the web are the tip of the iceberg. People use personal cloud storage accounts, such as Dropbox and Google Drive, and take screenshots to read documents later. They routinely download leaky apps to improve workflow, whatever the implications for the enterprise.
Collectively, these factors escalate the risks linked to BYOD. And in the financial services sector, the loss or theft of financial data can be catastrophic. There are regulatory pressures to contend with. In one high-profile incident that actually predates the iPhone, the UK Financial Services Authority - which later became the FCA - fined Nationwide £930,000 for the loss of a laptop containing confidential customer data. Without controls in place your corporate data assets might find their way onto personal mobile devices under IT security radar.
More generally, financial services providers are an obvious target for cybercriminals because they process high-value information. A 2012 Ponemon Institute study estimated the average cost of a data breach is $136 per record, even before penalties are taken into consideration.
Regaining control over BYOD
Given these dangers, the importance of putting a watertight BYOD policy in place and rigorously enforcing it is paramount. As previously discussed, however, managing personal mobile devices in the same way organisations might have done with corporate-issue laptops in the past has become impossibility. Even where the technical challenges are possible to overcome, employee resistance is no less an obstacle. Few workers will report a lost or stolen smartphone if this means their IT department will wipe it remotely, family photos and all.
The only workable solution in the long run is to come up with a platform-agnostic way to deliver financial data in a secure, ring-fenced environment. This means encrypting documents at source before transferring them so they can't be intercepted, as well as preventing unencrypted files from ending up on local storage. This includes blocking user interface features such as copying and pasting and taking screenshots. You might also want to take extra precautions, such as converting documents to read-only formats if required by a BYOD user.
Consider access controls, too - if your employees only protect their devices with PINs or unsafe passwords, use two-factor authentication to compensate.
Finally, like a financial services application, your BYOD solution needs to monitor all network activity so logs can be reproduced in the event of a compliance audit or forensics investigation following a security incident. More importantly, a reporting system will allow you to keep track of any access requests that seem suspicious, as well as trace a data breach back to the source.
By Jamie Bodley-Scott, Global Product Manager at Cryptzone