Malaysian SMEs Urged To Enforce Strong BYOD Policies

About 85% of IT decision makers in Asia are concerned about their firms’ ability to secure corporate data in the new user-led IT environment

MALAYSIA, May 24, 2012 - Fortinet, a world leader in high-performance network security, has cautioned against the rise of security risks among small-to-medium sized businesses in Malaysia due to the emergence of the BYOD (Bring Your Own Device) phenomenon at the workplace. BYOD raises significant data security and privacy concerns, which can lead to potential legal and liability risk. SMEs are, therefore, advised to develop security policies to protect their IT infrastructure from the BYOD-linked security challenges.

According to an independent survey Fortinet commissioned late last year with a total of 350 mid-to-large enterprise IT decision makers in Asia, about 85% of respondents are concerned about their firms' ability to secure corporate data in this new user-led IT environment. Most companies are not confident of or do not have the means to secure personal mobile devices: About 67% of respondents say they only allow the use of corporate mobile devices onto which security policies can be directly enforced. Another 26% of enterprises place responsibility for securing personal mobile endpoints directly with the users/owners of those devices − a dangerous practice.

For local companies, the proliferation of personal devices in the work environment paves the way for untold efficiencies and increased productivity, not to mention lowered carrier costs. However, these devices are devoid of the most basic security features − such as antivirus and password protection − incorporated in practically all workplace PCs. The agility enabled by personal devices means that business critical apps can be accessed from any network in any location. This leaves a staggering amount of sensitive data on the devices, whose exposure could be highly detrimental to the business.

The dilemma faced by companies in Malaysia is that while everyone wants to be more productive, few have policies in place to adequately secure the influx of mobile devices entering the workplace. And without these policies, organisations have simply no choice but to prohibit use of such devices, and consequently forego greater productivity and higher cost savings.

While it's getting tougher for firms to say no to employees using their own devices − it's clear that Malaysian employees are not going to stop using their own handhelds for business and instead, they will just try to figure out ways to make it work.

Fortinet recommends three IT measures to manage BYOD-linked security challenges:

Implement A Relevant Mobile Policy: Most Malaysian organizations should take the time to really assess their goals and determine relevant threats (e.g. malicious Websites, productivity loss, excessive bandwidth usage) to the network. Some questions the IT department need to consider:

o What applications are required, and which are not permitted?

o Which employees will be allowed to use these devices?

o Who has network access based on who, what, where and when?

Companies should also control access based on the need to know, and conduct continuous vulnerability assessments. And of course, they need to figure out how to enforce the policies they have laid down.

Remote Management Software: It's important to be able to apply the range of basic security functions, such as antivirus or remote data wiping software, to any device housing corporate data. Remote management software gives IT the ability to automatically update users’ devices with the latest patches to prevent any existing vulnerabilities from being exploited in mobile attacks. Firms should also implement centralized remote locate, track, lock, wipe, backup and restore facilities so that they could protect, retrieve and restore corporate data on lost or stolen mobile devices.

Blocking Non-Compliant Devices: This is where organizations can practice the art of compromise. Often workers are eager to use their personal devices for work but are reluctant to install additional software − some of which might have the potential to wipe valuable contacts and photos from their phone, tablet or laptop. As a compromise, firms could allow their workers to use their own devices IF they agree to install certain apps in accordance with the organization’s security policy. If not, then the workers can stick with an IT-issued device. An alternative solution some firms may want to consider could be dual persona phones that have two logical partitions – one for professional and the other for personal usage, with IT having complete control over the professional partition.

BYOD HERE TO STAY

“Ultimately, organizations in Malaysia must realise that to effectively protect their corporate networks and data from potential threats coming from mobile devices, they must handle the security issue at the network level rather than at endpoint level,” said Dato’ Sri George Chang, Fortinet’s regional director for Southeast Asia and Hong Kong.

This network security strategy requires strong control over users and applications, on top of device management. IT organizations must have the power to detect and control the use of applications on their networks and endpoints based on application classification, behavioural analysis and end-user association; and to detect and control Web-based applications at a granular level, including inspecting encrypted application traffic, regardless of ports and protocols used.

“It is clear that organizations will have to put in a fair amount of effort to adapt and switch to a new way of supporting their employees but there is no alternative − BYOD is here to stay in Malaysia and IT managers just have to get ahead of the curve,” Chang added.