Progress Distribution’s security practice provides independent advice and project support for mobile and bring-your-own-device (BYOD) strategies.
Our methodology incorporates frameworks such as ISO/IEC 27001:5, Information Security Forum Standard of Good Practice for Information Security, COBIT, HMG Security Policy and assessment frameworks to embed good security practices in the organisational technology, processes, culture and appropriate governance structures.
Our view is that productivity and accessibility are the main benefits for introducing mobile and consumer devices, so burying them under too many layers of security is likely to be counter-productive. The best solution is one that provides adequate control and a reduction in risk without impacting usability.
Five key service areas where we can help
1. Drive requirements from business objectives
A clear definition of the business objectives you are looking to achieve will allow you to put the cost and effort of security into context, and will help you decide whether you are willing to accept some risk to realise the benefits.
2. Understand use cases and the value of data within each case
What applications need to be available and therefore what data will they have access to? And what’s the value of that data? Think about the following aspects:
- Regulatory For example, your internal address book or client contacts are commonly stored on consumer devices and covered by the Data Protection Act.
- Reputational As any government minister will tell you, there are some emails and documents you don’t want going public.
- IPR Legal or commercially-sensitive documents could be valuable to a competitor.
- Access Information allowing an attacker to gain further access to your data (passwords, conference call numbers and access codes), and information on your systems and security.
3. Create a service model aligned with your risk profile
From the risk profile determined in the use case analysis discussed above, define your service model. It’s possible you may require a layered model with different levels of security to account for the different risk profiles/data. For example, use of multi-factor authentication may only be required for certain types of data.
Your solutions need to address all areas where data needs protecting. In-transit to the device? In-use by the applications themselves? Stored on the device? Even cloud-based apps may cache data locally on the device; what’s in the cache? Does it need protecting and how?
4. User education
Security awareness training is as critical as defining policies and implementing tools. Building a user community who are aware of the risks, who understand how they are likely to be compromised, and who have been educated in best practice is a vital building block to a successful strategy.
5. Bake BYOD into your system design life cycle
Finally, it’s more effective to build in security as systems are being designed, so update your system design lifecycle to incorporate consumer devices and their security.