BYOD: a simple guide for small businesses

Advice Davey Winder Nov 5, 2012

It's now usual to let workers bring their own device to work - despite CIOs' concerns. This guide looks at ways of mitigating the risk

There are plenty of advantages that BYOD can bring to your business, with cost savings and flexible working being perhaps the most notable, but the big downside is all too often introducing insecurity into the workplace. 

When Osterman Research surveyed more than 100 SMB IT security providers earlier this year on behalf of Trend Micro, it confirmed that the Bring Your Own Device (BYOD) trend of employees using their own smartphones, tablets and laptops at work is on the up amongst SMBs. Android device usage gained the largest year on year increase, up 7.1 percent, but iPhone and iPad usage is also increasing.

Trend Micro noted at the time that the typical SMB employee uses a whole raft of BYOD endpoint devices, and these need to be properly secured if the business is to be protected from exposure to malware and other threats. Which begs the question, just how does the average SMB go about translating security concern into real world policy in the face of this BYOD flood?

Say what?
Although you might think that's it's not feasible to restrict your employees to only using a particular flavour of the Android OS on a specific hardware platform, and such an extreme is unlikely to be workable, that's not actually the case.

What you can do is recommend devices which you are able to support from the data security perspective, such as iPhones and iPads running iOS version 'x' or later and hardware running Android version whatever. If you say what you can support, by implication it means you can also state that anything else is not supported and therefore must not be used to access or store corporate data.

It's all but impossible to police such a policy and prevent such apps from being installed and used

The same 'say what' approach is much harder to extend to software and services if employees want to use their own devices. Some SMBs will attempt to go down the policy road of banning Twitter and Facebook apps, third party email clients or VPNs for example, on the basis that these apps may have security vulnerabilities which could impact upon corporate data.

The fact of the matter is that it's all but impossible to police such a policy and prevent such apps from being installed and used. It's also a fact, unfortunately, that the bad guys do see consumer grade apps as being a route to stealing business data.

Any BYOD security policy is, therefore, better directed at bridging the security time gap. This can be best thought of as being the time between malware being released and protection against it being deployed. Policy should wrap with technology here, and the SMB should look to implementing as near as posssible, a real time approach to security pattern/signature updates. The cloud can help, with an increasing number of threat intelligence and pattern updating products being available now that both save on endpoint resources and remediate newly launched threats quickly.