Capitalize On The Growing BYOD Security Threat
By Jay McCall
Alleviate your customers’ struggles to fit personal mobile devices into their IT environments, and earn incremental recurring revenue streams in the process.
IIn last month’s issue of Business Solutions magazine, we looked at how managed services providers can make money by adding MDM (mobile device management) solutions to their RMM (remote monitoring and management) platforms. As the remote workforce trend continues, mobile computing devices are being used as a replacement for — or in addition to — traditional workstations, requiring a new approach to security and IT management.
This month, we’ll focus on a trend that’s closely related to and has many intersecting points with MDM — BYOD. The bring-your-own-device trend refers specifically to your customers’ employees using their own personal smartphones, laptops, and tablets to perform some or all of their job duties. In some cases, BYOD can be as simple and basic as accessing company email on a personal device. In other cases, BYOD entails giving employees full access to their company’s networks and enabling them to use multiple corporate applications such as CRM, collaboration, VoIP (voice over Internet Protocol), and video conferencing.
With BYOD Comes Shadow IT
What makes BYOD particularly tricky is the fact that many implementations occur without the business owner’s or IT department’s knowledge, a practice known as shadow IT. To get a sense of how prevalent this problem is, consider the following research from Skyhigh Networks, which found that the average enterprise uses 545 cloud services, which is approximately 500 more than the average CIO is aware of. Now, this particular study looked at enterprises with 500 employees and more, so on the one hand you’d expect bigger numbers. But, on the other hand, the fact that these organizations have IT staffs that are charged with monitoring and protecting their companies’ networks — and overwhelmingly it’s not happening is a bit alarming.
So, what’s the big deal? “The BYOD trend is creating major security issues for small businesses,” says Darrin Swan, director, global sales and business development, service provider channel & alliances, Dell. “Forty-six percent of companies permitting BYOD reported a data/ security breach due to an employee-owned device accessing the network [Source: Mobile Consumerization Trends & Perceptions, IT Executive and CEO Survey, Decisive Analytics, LLC, August 2012]. SMBs’ major challenge is in securing the personal device that their employees utilize for business use. Forty-one percent of employees use their personal devices for work without permission [Source: Novell Mobile Life Tour 2013], and 66 percent of employees use free file-sharing platforms vulnerable to cyberattacks [Source: Novell Mobile Life Tour 2013].”
Clearly, one of the primary areas of concern with BYOD is whether the corporate data saved on personal devices is secure. Personal mobile devices (especially Android devices) may include apps that make the devices conduits for malware and viruses. “Compounding the problem is the fact that many small businesses use the same equipment in their office as they do in their homes, simply because of their familiarity with consumer equipment and its lower cost than a business-grade device,” says Luke Walling, vice president of sales and operations at AVG. “The mere fact that they are not using commercial-grade hardware for work is arguably a serious security risk in its own right.”
Take A Consultative Approach To Resolving Your Customers’ BYOD Issues
When you consider how much BYOD has grown over the past couple of years and all of its potential productivity and security downsides, it helps to put this tremendous opportunity for VARs and MSPs (managed services providers) into its proper perspective. SMBs, however, are largely unaware of all the threats BYOD brings, so it’s important to be prepared to educate them before proposing a solution. “The big opportunity for VARs/MSPs is working with their customers to understand their security and compliance requirements,” says Swan. “These are important prerequisites to selling a BYOD solution.”
To fully understand a customer’s BYOD needs, Swan suggests taking a consultative approach and including the following questions in your business discussions:
- Are you considering allowing the use of employees’ personal devices in the workplace?
- As the owner/administrator, are you concerned about securing access to your VPN from personal devices?
- Do you currently have a corporate BYOD policy?
- How are you securing access to the applications your employees are using to access your corporate data?
- Are you isolating applications that access your VPN?
- Do you use VDI (virtual desktop infrastructure) applications or a containerized application?
- How are you minimizing corporate liability associated with personal devices in the workplace?
- How are you ensuring your BYOD policies, including the protection of your employees’ rights, are enforced?
Keep Industry Compliance Concerns Top Of Mind
Additionally, VARs/MSPs need to understand how to deal with compliance issues when enabling BYOD programs — not only compliance with the customer’s company policies — but adherence to industry rules or regulations related to personal data being modified or deleted on employees’ personal devices. “The churn rate on mobile devices is much faster than that of traditional computing devices, and so companies need to be able to have these devices provisioned and correctly configured in a seamless and efficient manner,” says Alistair Forbes, general manager at GFI MAX. “This churn means that keeping track of the devices in use, which services employees are accessing, and which applications they are running is a difficult challenge. That’s why it’s so imperative for IT service providers to help their clients establish clear usage and security policies that allow employees to know exactly which actions, and under what circumstances the company or service provider may take actions, that affect employees’ personal devices — including wiping the devices clean if the devices are lost or stolen.”
AVG’s Walling concurs and adds, “Gartner’s research shows that by 2017 half of employers will adopt mandatory BYOD policies that spell out how employers will manage their employees’ devices, including access to the network and addressing what happens if an employee leaves or the device is stolen.”
Once the initial policy is put into effect, Walling suggests treating BYOD devices very similarly to corporate-owned computers. “Best practices include conducting a device health check before permitting any type of access to the network,” he says. “The health check should include all of the basics from patching to malware checkups, which can all be automated through the use of many of the industry’s leading RMM platforms.”
Another key ingredient needed for a successful BYOD security program is credentials management. “A platform for managing credentials and access to key resources inside the organization is imperative,” says Walling. “For example, if an employee leaves or a device is lost, you have to be prepared for the worst, and revoking access to multiple cloud services must happen seamlessly and quickly. Cloud storage is great, but it isn’t going to help solve the theft problem if you can’t control access to it.”
The risks associated with BYOD are real, but taking a consultative approach to the problem and using business-class security solutions make the problem manageable. There’s overwhelming evidence showing that BYOD is making its way into nearly every com pany, whether your customers are aware of that fact or not. Why not help them see the reality of the situation and show them how — for a modest fee —you can help save them from a BYOD disaster down the road.