BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
Many companies hope that BYOD programs will reduce costs by shifting mobile device purchases and monthly service fees from employers to employees, but find that savings are often offset by new expenses.
Wi-Fi-enabled consumer electronics have triggered an explosion in the number of devices connecting to the corporate network and requiring some kind of mobile device security strategy. A recent Cisco IBSG Horizons survey (PDF) found that the average number of devices per knowledge worker will jump from 2.2 in 2012 to 3.3 by 2014, increasing IT spending on mobility initiatives to 20% by 2014.
Laptops, smartphones and tablets have a direct effect on the total cost of ownership of the corporate network. WLAN infrastructure must be added to satisfy growing bandwidth demands. Security systems must spot and block non-business traffic, such as streaming video and back channels for Trojan horses.
Bring your own device (BYOD) policies should include Quality-of-Service mechanisms to ensure performance. IT must create diagnostic tools and mobile management processes to deal with diverse and often cranky consumer devices.
Furthermore, every new employee-owned device represents an opportunity to leak corporate data. BYOD challenges include lost or stolen devices with data that cannot be remotely wiped, malware infections, and sensitive data that's too easily forwarded outside the workplace.
To avoid these pitfalls, businesses must implement BYOD safeguards and monitor mobile device usage to detect -- and preferably prevent -- such leaks.
How IT governance can help secure a corporate network
These BYOD challenges are not insurmountable, but they require careful consideration, backed by an IT governance plan of action. The intersection between corporate networks and the wireless world should not be a "Wild West" where anything goes and IT can't stop it. Instead, administrators can stem potential BYOD bleeding with device discovery, impact assessment and minimum criteria for acceptable use.
Many contemporary WLAN and network access control products have device discovery and fingerprinting features that IT can use to identify mobile devices. Those that fall into known categories can be automatically redirected to mobile device management enrollment portals. Previously unseen devices can be blocked, awaiting further BYOD consideration.
To decide which devices to block vs. enroll, assess those already used in your workplace. Consult with business units to determine application and data requirements, and identify the associated risks and security capabilities.
More on securing your corporate network
How BYOD strains corporate wireless network bandwidth
Wireless network security best practices
Securing the network perimeter
This assessment should result in documented BYOD criteria that any device must pass to be authorized. Typically, minimum criteria include support for remote wipe, passcode-based device access control and hardware encryption.
A mobile device security strategy should reduce risks from lost or stolen devices. Some business units that handle more sensitive data may impose more stringent requirements, such as support for two-factor-based access control, FIPS 140-certified encryption or forensic data scrubbing.
In addition to establishing criteria, create and maintain lists of mobile devices that IT agrees to fully support and those that have been deemed so disruptive or dangerous that they cannot be tolerated. Most employee devices will fall in between these two extremes, letting you grant access while minimizing associated support and troubleshooting costs.