Why BYOD Doesn’t Mean BYOS (Bring Your Own Security)

BYOD use is exploding in organizations across the globe. But while it may seem like a cost-effective solution to business budgets, there are a lot of hidden risks within the practice – like the lack of security that can expose your organization to more hazards than you bargained for.

There are 6.8 billion mobile subscriptions worldwide, and many belong to employees who combine business and personal use on the same device – creating a BYOD nightmare for IT security officers across the globe.

Today’s healthcare systems are similarly being infiltrated with BYOD by clinicians who insist on using such tools – a fact supported by recent Cisco data indicating that 86% of healthcare respondents cited smartphone use for work purposes.

Over the last decade, with the expansion of wireless capabilities and advancement in mobile devices, the workforce that traditionally sealed itself behind the security of organizational walls are now working remotely - using the same device to access patient records and enter clinical notes as they do to download videos, chat on social media, and find out what’s for dinner.

A dream or a nightmare?

It may sound like a mobile worker’s dream, but it can be an organization’s nightmare when such employees don’t have appropriate security measures in place – and sometimes the organization is partly to blame. According to a 2013 Forrester Consulting report entitled, “Five Key Business Insights for Mobile Security in A BYOD World”, 90% of companies surveyed permit BYOD use, but only half required employees to obtain adequate security coverage prior to use. Additionally, Cisco’s BYOD Insights 2013, found that:

• 9 in 10 individuals use their smartphones for work.
• 40% don’t password-protect their smartphones
• 51% connect to unsecured wireless networks with their smartphones

Those are the kind of numbers that keep IT officers awake at night, since one accidental download of an unsafe application, or click on a malicious link can open an entire healthcare system to the vulnerabilities of malware and phishing threats. With the GCC containing some of the highest numbers of smartphone users in the world, and topping smartphone penetration rates for high-use countries, you can be sure that BYOD is a significant security issue for healthcare systems in the region.

A common companion to BYOD use is the installation of third-party software, which creates a significant security risk, as indicated by a recent HP study that revealed some hair-raising findings about the security status of the apps that were assessed:

• 97 percent contained some type of privacy issue
• 86 percent lacked basic security mechanisms
• 75 percent lacked proper data encryption

When you consider all of the sensitive data within your organization, and the fact that a single device loaded with just one of these hazardous apps may be granting accessibilities you never dreamed of, you’ll be pulling out your BYOD policies for updates, or creating new ones if they don’t already exist.

Action is essential

To say in theory that BYOD security is an issue and agree upon the need to address it, unfortunately doesn’t mean that action will be taken or policy enforcement will occur. According to an Acronis “2013 Data Protection Trends Research” study, 60 percent of companies in the eight countries surveyed don’t have BYOD policies in place – with nearly 80 percent reporting they haven’t educated their employees regarding BYOD. According to Anders Logfren, director of mobility solutions at Acronis,

“The fact that 80 percent of the companies we surveyed do not train their staff on BYOD best practices shows us that we’re really still at the early stages of this movement. BYOD has been talked about for years, but now that it’s become so pervasive in the workplace, no company can afford to ignore it – let alone such a large majority…In order to successfully transition into the BYOD era, without risk of data leakage or corruption, these companies need to take more proactive steps to integrate safe, enterprise-grade BYOD management tools that not only put IT back in control of sensitive data, but that are easy enough to use, so that employees won’t feel bogged down by a movement that was meant to empower them.”

Healthcare's challenges

BYOD in healthcare organizations creates additional security challenges. While HIMSS’ recently released Mobile Technology Survey revealed that almost all of the organizations polled supplied company-owned mobile computing devices to clinicians, what they do with them may not be what’s expected.

Many clinicians practice in more than one healthcare system, are unwilling to be confined to a separate device-per-system configuration, and are increasingly demanding the ability to streamline their busy lives by using one device to achieve all purposes - including those related to their personal needs.

When organizations simply refuse to address the BYOD issue, they risk a system end-around by stakeholders who simply do not understand the security issues at stake - and the enormous ramifications that can result from attaching unsecured devices and careless user practice to organizational networks filled with sensitive information. As August Calhoun, VP and GM at Dell Healthcare and Life Sciences notes,

“The last thing you need is a doctor losing a tablet or smartphone that can be used by anyone to access your network.”

The answer in dealing with the BYOD reality certainly isn’t a head-in-the-sand approach, but to clearly understand how users are actually practicing, and then finding a compromise that optimizes both functionality and enterprise security. By dealing with the BYOD issue head-on, healthcare organizations across the GCC will ensure that they provide employees and providers with the resources they desire – while keeping everyone’s data safer in the process.