BYOD is here to stay, so balance the risk and reward  

Embrace BYOD or get left behind. That’s the reality that most companies now face as the ability to bring-your-own-device (BYOD) becomes an expectation from employees. With each launch of a new device, such as the systematic introduction of new iPhone models, today’s workers become more and more interested in using a device of their own choosing. At the same time, companies are starting to embrace BYOD more than ever before. Some are even going so far as to mandate a BYOD policy, simply paying employees a flat reimbursement to save on telecommunications costs.

From a business perspective, there are many benefits to giving employees access to systems and data from their mobile devices, including the increase in productivity from employees. However, these organisations cannot afford to trade the benefits of mobility for unintentional – and costly – consequences such as fraud, misuse of data, privacy breaches, and of course negative audit findings. Along with this increased business productivity, ‘anytime, anywhere’ access exposes a whole new area of IT challenges. Not only are IT organisations now tasked with managing access to cloud-based apps that don't reside in an organisation’s firewall, but they also have to consider the proliferation of consumer devices, which lack any standardisation across devices and platforms.

Adding to the complexity is the pressure on IT to manage the thousands of devices that need access to data, corporate applications such as email, coupled with the ability to de-provision both the devices and the accompanying access when necessary. In fact, the risk of poorly secured mobile devices containing sensitive corporate information is one of the most critical concerns that keep IT departments up at night. IT departments are right to be worried. Our Market Pulse Survey found that 41 per cent of companies that allow BYOD do not have IT controls in place over those devices. To put in a different perspective, four out of every 10 employees are accessing potentially mission-critical data with no oversight from the organisation.
While IT departments are battling to stay ahead of the game to ensure they are supporting business users, they are simultaneously being asked to manage the IT risks associated with these evolving technologies. It’s no easy task. In order to more effectively manage the risks associated with BYOD, IT needs better visibility into and control over the access privileges granted to workers. The use of mobile devices to access both on-premise and cloud applications makes these controls more difficult than ever.

In a world where employees are now regularly accessing applications that reside outside the firewall and from devices also outside the firewall, an entirely new way of thinking is needed. It’s no longer enough to simply revoke network access privileges. Organisations must ensure that all access is removed, including individual accounts on on-premises and SaaS applications.

The first step in that is to take a governance-based approach to identity and access management (IAM). Strong identity governance focuses on user access, regardless of where the application resides (data centre or in the cloud) and from where and what device a user is connecting. By leveraging a governance-based approach to IAM, enterprises can ensure that only authorised users have access to sensitive applications and data, and they can be ready and able to remove all access privileges promptly upon worker termination or job change.

It is also important to selectively apply governance controls based on application risk and security significance. Not all applications require this level of governance, so enterprises need to strike a balance between giving workers the agility and convenience they want, while giving IT the visibility and control that is essential to managing risk. As an example, mission-critical applications, such as finance, human resources, or applications with confidential data require a higher degree of control and governance. This is again where IAM can help IT implement the right preventive and detective controls, such as approval workflow, access certifications and policy checking, to ensure that audit controls and security guidelines are being followed, regardless of whether they’re being accessed by a laptop or mobile device.

Many companies have also turned to mobile device management (MDM) solutions to help manage the onslaught of MDM. These solutions enable the remote management of mobile devices, performing tasks such encrypting data on devices, controlling application downloads, ensuring devices are free of malware, and selectively wiping content on devices when needed. Integrating MDM and IAM allows organisations to extend IAM policies and controls to personal mobile devices, ensuring they are managed according to corporate and regulatory standards. By linking MDM capabilities with corporate IAM policies and processes for authentication, user onboarding and offboarding, policy enforcement and compliance and audit reporting, the integrated solution gives security teams the centralised visibility and control they need to better protect corporate assets – no matter where or how the access occurs.
The bottom line: BYOD is an unstoppable force, with more employees bringing their personal mobile devices into the workforce and demanding fast, easy access to new technologies and applications. Businesses cannot afford to trade the benefits of mobility for unintentional costly consequences such as fraud, misuse of data, privacy breaches, and of course negative audit findings. The good news is that with the right governance-based IAM solution in place, companies can control user access across the enterprise, regardless of where or how an application or system is accessed to safeguard the organisation.