Devices Over Data | Why the Focus on BYOD Security May Be Misplaced
Most businesses have developed an intense focus on issues related to security. This shouldn’t come as a surprise considering the stories that have hit the headlines revealing large security breaches at major corporations like Sony, Target and Home Depot. At the same time, many organizations have made great strides in adopting bring your own device (BYOD) policies, allowing employees greater freedom in using their own devices while at work. These two trends, while seemingly unrelated, are actually closely intertwined. One of the biggest worries about BYOD deals with the security risks of bring your own device. The response has been fairly uniform for many businesses: place the focus of BYOD security on protecting each device. While the intent is certainly admirable, that focus might be a strategic error, one that organizations will need to correct if they want to improve their security efforts.
Most BYOD security concerns are centered on the devices that employees use. This is a straightforward approach that seems to make the most sense on the surface, but working to secure devices may end up causing some unintended problems. One potential issue deals with the IT department. By focusing on the device, an added responsibility is placed on IT workers, and IT departments already have a lot on their plate. More demand on IT will simply force them to stretch even further. Add to that the unpleasant task of closely monitoring each device and using mobile device management (MDM) to restrict certain actions taken on each smartphone or tablet, and the relationship between employees and the IT department might end up becoming strained.
Employee behaviors may also frustrate BYOD security efforts. Businesses can talk all they want about using each device responsibly, but workers can make mistakes and perform actions that undermine security. For example, if an employee connects to an unsecured wireless network, he or she places not only the device at risk for infiltration but the network that device connects to as well, which could lead to other devices becoming infected. Employees may also unwittingly download apps that have malicious code or lose a device, causing valuable data to leak or get stolen. A focus on device security also leaves a lot of security responsibility in the hands of the employee. Features like password protection or keylocks, while simple and easy to use, may go completely ignored, leaving the device vulnerable. For all the work the company may put into securing each device, mismanagement on the part of the employee may render all of that effort futile.
So if a focus on device security is fraught with challenges and potential problems, what is the better solution for BYOD security? Some security experts say a company’s focus should actually be less on the device and more on the data. While the difference between the two might sound minimal, this shift in focus represents a big change in security strategy. With more emphasis on securing data, IT departments would have to worry much less about each individual device. That can have several useful implications, including avoiding the complicated process of data segregation. Data security also means deploying measures that work with every device. No longer would IT workers have to struggle making sure a large variety of devices have effective security measures. Instead, the data itself becomes encrypted and protected, working with every device no matter the model.
Data security can also avoid the problems that arise when extremely restricting policies are enacted in the name of BYOD security. One report from Gartner shows that one out of every five BYOD policies will fail by 2016. The reason? Policies and guidelines that are deemed to be too restrictive by the employees. Workers enjoy the extra freedom that comes with BYOD, so any attempt to rein in that freedom is usually accompanied by dissatisfaction. Focusing on data security eliminates that effect, making it much easier to protect a company’s valuable data without sacrificing the employees’ freedom to use their devices in the way they want to.
There is no simple solution for making BYOD policies more secure, but it has become clear to many security experts that an emphasis on protecting devices may not be the best way to do it. Data is the thing businesses want to protect, having a managed network will help them achieve that goal while avoiding unpleasant consequences. BYOD still has plenty to offer companies in terms of benefits, so once the issue of security is fully resolved, businesses will be able to enjoy those advantages without the grim thought of security risks constantly hovering over their heads.