Firstly, there is the question about whether companies can guarantee their employees will keep their own devices fully secure, for example with a complex password that is regularly changed. Also, can organisations really be sure that their workers are taking advantage of all the security functions available to them, such as biometrics? It seems unlikely given that employees are regularly named as the weakest link in corporate cybersecurity enforcement, therefore allowing them to bring devices into the workplace that might be insecure could pose a huge issue.
A study undertaken by Callsign found that people prefer traditional passwords at work, and that employees are more reluctant to accept more innovative methods of identification (like biometrics) over a presumed ease of access. What this evidence highlights is the necessity for organisations to be strict on password and security policies associated with BYOD. Given that BYODs aren’t owned by the company, any procedures that are introduced must clearly state what applications are being managed and secured, and which aren’t, so that employees know what they are agreeing to.
Then there is the problem of security software on these devices – or lack of it. While it is commonplace to have cybersecurity software installed on a personal desktop computer or laptop, this level of security is not necessarily transferred to individuals’ mobile phones or tablets in the same way. Worryingly, the Office for National Statistics recently found that 50% of respondents didn’t have, or know, if they had security software installed on their personal device, so companies need to be aware that their staff could be opening their business up to being hacked via a personal device.
Another issue is that it is inevitable that people who bring their own devices into work will eventually change jobs and companies – so how can enterprises ensure that data confidentiality and integrity are maintained and not compromised by employees leaving or changing their jobs?
Finally, nobody is immune from having their personal devices lost or stolen and it could be said that these devices are more prone to loss as we take them everywhere, so there is that added danger too. If a criminal were to get their hands on a device that held confidential corporate information, there is no way of knowing whether a criminal will be able to access it for their own benefit. Consequently, organisations are exposing themselves up to significant risk, meaning identity provisioning (the process of coordinating the creation of user accounts, e-mail authorisations in the form of rules and roles) has to be managed wisely. The same should be applied when a member of staff downloads the latest software for their device or buys a new one. Of course, keeping tabs on all of these updates and changes is extremely difficult to track and will not get any easier, so there needs to be a more manageable solution in place for security teams.
Provisioning (the process of coordinating the creation of user accounts, e-mail authorisations in the form of rules and roles) could be the key to solving the problem by granting access via passwords and security on a device by device basis. However, this is a long and costly activity that is difficult to scale for a large organisation and is also susceptible to human error.
This is where Identity as Service (IDaaS) can massively help, the reason being you are provisioning the identity of a person, rather than the device. IDaaS also helps maintain the holistic view of the individual and device security profile. Any changes such as an employee leaving, changing their role or changing their device can be easily traced, tracked and updated. Implementing IDaaS also prevents against the theft of a device, as the criminal will not be able to access confidential company information without having to go through a thorough identification process. Another benefit is that IDaaS empowers employees to be able to choose their authentication method, so they can select a method they have the capability to use, can easily access, and have the preference for, so they have the maximum amount of control, choice and consent.
We have come on leaps and bounds in terms of biometric authentication technology in the past few years which has helped accelerate IDaaS. By incorporating both hard (facial recognition, fingerprints, iris scanning) and soft (behavioural characteristics e.g. how people type, move their mouse or hold their smart phone) biometrics, which are personal and unique to each individual, and combining them with advance machine learning, it is possible to identify an individual more accurately than ever before. Only by implementing IDaaS can organisations truly learn their employees’ profiles in order to guarantee the security of their information and networks.
By using this technology, organisations can have a more complete picture in terms of each individual and device security profile. It makes it far easier to track, monitor and update any changes such as a member of staff leaving the company, moving offices or simply moving departments. What this means is there is less pressure on security teams to constantly be resetting passwords etc. dramatically reducing the demand for IT resources, which tend to be scarce at the best of times.
Another benefit is that and identity-based approach also helps halt the BOTs in their tracks. The software is able to determine bot traffic, so that security teams can put the necessary measures in place to help protect against those devices that might not be the most secure.
In order to defend a business against the wider dangers of BYOD, an identity-based approach is the most appropriate and efficient system. We shouldn’t have to restrict individuals who want to use their own devices in the workplace if it means it can improve their efficiency and quality of life. As a result, we will soon see IDaaS become more ubiquitous as enterprises strive to keep their data confidentially and compliant.