The folks over at the IBM midmarket team have come up with a good slideshow with six tips to better BYOD. First, let's look at the list and then we can dive in and add some more:
1. Mobile Device Management (MDM) - For organizations of any size, this really should be a no brainer at this point. There are many choices here, from free on up. An important thing to remember, though, is that MDM is to enforce your corporate policies. If you don't have any policies in place, there isn't anything to enforce. Therefore, I would say even before putting an MDM in place, you need to formulate your corporate policies. Many MDM solutions have some policies built in by default. What kind of apps are and are not allowed, should data by encrypted, where can you go on the corporate LAN are all part of the mix. Another thing to note is that often times this is where the biggest resistance from employees can be met. No one likes to cede control over their own devices to the corporate big brother.
2. Rethink your perimeter strategy - Perimeter? Did you say Perimeter? What perimeter? The folks at IBM talk about making sure your security strategy encompasses the different kinds of devices, users and data being accessed and used. I think today's perimeter is so fungible that all you can hope for is to have a hardened interior where you keep the crown jewels. Beyond that, I am a believer in micro-perimeters, with so many of our users working outside the traditional workplace these days. I also think the cloud redefines the parameters of the perimeter.
3. Classify, Classify, Classify - I am in total agreement with the Big Blue team here. It is imperative that you classify not only the kinds of data you have on the network, but the groups of users accessing that data. You also need to classify the kinds of devices they are using on the network as well. The one thing I would add here is that after classifying, you prioritize.
4. Make security relatable and understandable - I call this one "why do I need to know algebra and geometry?" I hear this kind of stuff from my kids all the time. They don't understand the reason why they need to understand things that they think they will never use in their lives. Unfortunately, security is the same way. Too many non-technical folks (and, let's face it, too many technical folks as well) just can't connect the dots on why we have security policies and what the potential harm is. I believe less is more when it comes to security policies. Better to pick your battles with clear objectives and policies that are sensible. People need to understand that when you put something in the front of the machine, what comes out the other end is a direct result.
5. Undertake a functional exercise - War games, if you will. Play out the scenarios of what you have. What would happen if something happened? Have plans in place for likely scenarios. You can't plan for everything, but the more you can plan for, the better off you are.
6. Be prepared for devices that will inevitably get lost - This is part of the planning for likely scenarios. Mobile devices getting lost are part of our lives. There should be a clear-cut process for what to do when, not if, a device is lost. Things like shutting down access from that device, wiping the device of any corporate data, etc.
BYOD is here to stay. You can just try to ignore it or you can be proactive. IBM has some good advice here that can help you get your head around BYOD. Whether you take it or utilize your own strategy, the important thing is do something.
As co-founder and Managing Partner at The CISO Group, Alan Shimel is responsible for driving the vision and mission of the company. The CISO Group offers security consulting and PCI compliance management for the payment card industry. Prior to The CISO Group, Alan was the Chief Strategy Officer at StillSecure. Shimel was the public persona of StillSecure as it grew from start up to helping defend some of the largest and most sensitive networks in the world.
Shimel is an often-cited personality in the technology community and is a sought-after speaker at industry and government conferences and events. His commentary about the state of security, open source and life is followed closely by many industry insiders via his blog and podcast, "Ashimmy, After All These Years" (www.ashimmy.com). Alan is now also a regular contributor to The CISO Group’s security.exe blog and podcast. Follow him on Google.
Alan has helped build several successful technology companies by combining a strong business background with a deep knowledge of technology. His legal background, long experience in the field, and New York street smarts combine to form a unique personality.
Disclosure: The CISO Group sells a software-as-a-service PCI compliance application called SAQPro. The company is independent and does not represent any other vendor's products as a reseller.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited.