Securing portable IT devices

Being able to access IT systems remotely, either from home or elsewhere, creates additional security issues for businesses. So do privately owned devices, such as smartphones or tablets that are brought into premises by staff (commonly known as ‘BYOD’ or bring your own device).

Remote access

According to the 2014 information security breaches survey, over ninety per cent of SMEs (ie small and medium-sized enterprises) in the UK allow their staff to connect remotely to their IT systems. Many others allow staff to work from home, even if they cannot connect, yet one in five still don’t protect remote devices used by employees.

Remote devices face greater risk of theft, malware infection and having data intercepted or copied. Interception techniques don’t require sophisticated electronics, while people who would never leave a computer logged in and unattended at work can be much less security-minded at home. The same can be true when connecting other people’s memory sticks.

Remote devices are easily portable, which makes them attractive to criminals. Most opportunist thieves are not interested in business information but they’re unlikely to erase it before selling your device on. Your business may suffer serious reputational damage as a result, which is why you need to encrypt data stored on remote devices.

Remote devices face greater risk of exposure to malware too, because it’s easier to connect to other people’s networks or media. Make sure your remote devices are protected and remain so.

To make infection more difficult, some manufacturers deliberately restrict connectivity and the applications that can be installed on their portable devices. You may want to make using only approved devices a company policy.

Bring your own device

According to the 2014 information security breaches survey, two thirds of UK SMEs now allow staff to connect their own phones or tablets to their systems. Whatever you decide to allow this or not, you need a policy that staff understand and stick to.

Larger organizations may have the resources to set up a separate network to which personal devices can be connected, but this may be beyond many small firms’ budgets. In this case, you will need to educate users on the risks and perhaps control or recommend how they configure their devices before connecting to your network. You may want to install malware protection on their devices (even if it is at your own cost).

How standards can help to secure portable IT devices

There’s nothing intrinsically different about remote or portable devices, which means all of the standards referenced elsewhere on this site can be used, it’s just that the risks are higher. Currently, there are no International Standards that deal exclusively with portable device security.

There is a free guide SP 800-124r1, Guidelines for Managing the Security of Mobile Devices in the Enterprise, available from the US National Institute of Standards and Technolog (NIST), which covers remote corporate devices and BYOD.

Also well worth a read is the Bring your own device guide published by the Information Commissioner’s Office.

See all standards that may help you to secure your business IT >