Bring Your Own Device is becoming a prevalent Information Security and IT Focus

BYOD is becoming a prevalent Information Security and IT Focus

Bring your own device (BYOD) has become increasingly more prevalent in businesses with over 71% of companies planning, tolerating or supporting its infiltration into normal corporate work practices, according to an infographic published by Matrix 42.  According to the below infographic, the most common devices being utilised by employees via BYOD for work are laptops, PDA’s, mobile devices, and tablet computers. The Matrix 42 infographics were developed after the company completed a survey of 600 enterprise IT professionals and was published via

The question of mobile device management (MDM) by securing company information was revealed as imminently important, with over 78% of respondents identifying this as being an ‘extremely or very important part of their IT offerings in the next two years. The drivers behind this focus are potentially IT-based given that over 31% of IT departments are driving the employment of BYOD’s within the corporate sector. The most common usages of the listed devices are corporate data access and e-mail usually in conjunction with application software.

Simon Loughran one of Certification Europe’s leading ISO 27001 – Information Security Management Systems auditors published a paper called ‘Security and Mobile Devices’ on this topic recently. The paper identified one of the largest risk associated with the usage of BYOD devices such as mobile devices is inherent with their portability, and that is precisely the intended functionality. Advanced technological changes allow people to work outside the corporate networks on wireless and remote connectivity, which in turn facilitates easily accessible and shareable company information. This creates a new risk area for companies as it has moved outside of the established security perimeter that has been so meticulously developed. The solution is to develop subsequent selected security controls around the mobile devices and BYOD devices which are as stringent as those employed around company devices.

ISO 27001 (ISMS) and ISO 20000 IT Management provide the greatest security opportunities for a company and should be considered by all organisations that are rolling out a BYOD policy within their organisation. The following top ten tips for securing your mobile devices were developed by Simon via personal experience and from peer professional online research.

Top Ten tips for mobile security

1. Device Selection

Not all devices are created equal when it comes to security. For example, iPods are built for general consumers not as concerned by security and is therefore less inherently secure than a BlackBerry device designed for enterprise users.

The degree to which security controls can be implemented on mobile devices is highly dependent upon the vendor. Consider mobile devices that have the best possible control and security on them. Just because a senior manager likes the look of a particular device is not a good enough reason for its selection.

2. Enable Encryption

Many organizations do not enforce or even set policies mandating the use of device encryption on mobile devices. Encryption is one of the most common methods used to protect the information on the mobile device and should really be used without a second thought. It gives both you and the data owner a clear sense of security. Some vendors actively publish and push their security encryption methods and credentials with Blackberry being a prime example with lots of security hints and tips readily available.

Encryption for laptops is standard best practice so why not all mobile devices?

3. Require Authentication

Mobile devices require proper authentication as they are extremely susceptible to loss or theft. Most users have adopted some form of authentication on their laptops, even if it is only a password, which should now be applied to all mobile devices. A BIOS or start-up password for a laptop works on another level whilst still using encryption. If you can’t authenticate you cannot gain access therefore the encrypted data is further protected.

4. Utilize Remote Wipe Capabilities

Applications have been developed because of the proliferation of mobile devices and their inherent vulnerabilities that give people the ability to remotely access and disable devices in the event of loss or theft. Imagine how helpful the ability to wipe information remotely from a machine could be in such a stressful scenario as loss or theft especially considering the potential damage in the event of information leakage.

5. Incident Management

Organizations should examine developing a policy and procedure protocol for employees who have lost their devices which they have previously used to access company information. This is where ISO 27001 Incident Management becomes extremely effective. An established incident management process will make it easy for them to call the relevant people to alert staff that a device has been lost or stolen. However organisations should remember that it is only effective if you launch an awareness campaign for such an event.

6. Control Third-Party Apps Smartphones/ Iphones offer increased risk to a company as they are essentially miniature computing platforms that can accept any nature of third-party applications. If you can limit the installation of unsigned third-party applications you can help to prevent the bad guys from requisitioning control of your devices. This is the basic premise of Trojans and how they attack your systems. Consider that there are many examples of Trojans being built into free apps and so called ‘cool’ games! An interesting development in the app sector is that Google Apps have tackled this risk by becoming ISO 27001 certified recently, denoting the importance which they place on securing client information.

7. Network Access Controls

Enterprises should set up network access control mechanisms such as unique firewall policies, vlans, static routes etc. specifically to segregate traffic coming in from mobile devices. Mobile device users don’t necessarily need access to all of the data and areas on the network, so limit exposure by only offering access on a need to know basis.

8. Use Intrusion Prevention / Detection Software (IPS/IDS)

As Smartphones and mobile devices become more and more powerful, they’re likely to become another weapon in the hacker toolbox. As a result, it makes sense to have your intrusion prevention software examining traffic coming through mobile devices. After all if a standard user can install apps on an easy to hide portable device what’s to stop a hacker utilising such a device with a vast array of tools?

9. Anti Virus – AV

There are many host based anti-virus applications available for Smartphones and mobile devices but consideration must be given to how they interact within the enterprise and how they are going to be managed. A device connecting into the corporate LAN may have a requirement to authenticate its security control feature or access may be denied. Blackberry Enterprise Server (BES) utilises AV to control its devices and is way ahead of other Smartphones in the security stakes.

10. Bluetooth

Bluetooth capabilities on today’s Smartphones and mobile devices may make it easy to talk on a hands- free headset, share information and interconnect devices, but they’re also a target for hackers, who can take advantage of its default always-on, always-discoverable settings. In order to limit exposure best practice is to recommend disabling Bluetooth when it is not actively transmitting information. You can also suggest switching Bluetooth devices to hidden mode. Organizations can limit exposure by making this company policy.

Person with laptop and hardhat ISO certification
Robert Lyons
Robert Lyons


Related ISO Certifications

Certification Europe small Rosette logo symbol

ISO 9001

Quality Management System

Quality Management System ISO 9001 is an internationally recognised global standard that confirms an …
Certification Europe small Rosette logo symbol

ISO 14001

Environmental Management System

ISO 14001 Environmental Management System ISO 14001 is the global standard for organisations wanting …
Certification Europe small Rosette logo symbol

ISO 45001

Occupational Health and Safety

Occupational Health and Safety ISO 45001 is an international standard that specifies requirements for …
Certification Europe small Rosette logo symbol

ISO 50001

Energy Management System

Energy Management Systems ISO 50001 is a global standard for organisations looking to improve …
Certification Europe small Rosette logo symbol

ISO 27001

Information Security Management Systems

Information Security Management Systems ISO 27001 is the international standard for managing risks related …
Certification Europe small Rosette logo symbol

ISO 22301

Business Continuity Management Systems

Business Continuity Management Systems ISO 22301 is the business continuity management system (BCMS) standard. …
Certification Europe small Rosette logo symbol

ISO 20000-1

IT Service Management Systems

IT Service Management Systems ISO 20000-1 Service Management is the international standard for quality …
Certification Europe small Rosette logo symbol

ISO 13485

Medical Devices

Medical Devices ISO 13485 is a globally recognised quality standard that identifies the requirements …
Certification Europe small Rosette logo symbol

ISO 27701

Privacy Information Management Systems

Privacy Information Management Systems ISO 27701 is the global standard for Privacy Information Management …
Certification Europe small Rosette logo symbol

BS 10012

Personal Information Management System

Personal Information Management System BS 10012 provides a framework for a Personal Information Management …
Certification Europe small Rosette logo symbol

ISO 27018

Protection of Personally Identifiable Information (PII)

Protection of Personally Identifiable Information (PII) ISO 27018 is the global standard organisations use …
Certification Europe small Rosette logo symbol

ISO 27017

Cloud Data Protection

Cloud Data Protection ISO 27017 is the global standard used by organisations to strengthen …

Related Insights

How to make small business sustainability a priority

Small business sustainability is becoming a priority in the drive towards Ireland becoming net zero – here’s…

What is circular economy and what does it mean for organisations?

The circular economy is not a new phenomenon. Read our breakdown of what the circular economy is…