CS406: Information Security

The tasks performed by employees in IT departments at organisations have changed substantially over the past decade. In the past these employees were mainly responsible for configuring, installing, maintaining and operating the hardware and software used by employees at the organisation's offices. Many organisations deployed corporate-owned palmtop-computers and Blackberry or mobile devices to key individuals within the organisation during the early to mid-2000s. The configurations of these devices were generally straightforward. The devices were used primarily to send emails and retrieve key documents and presentations. With the deployment of these devices, it meant that the employees in the IT department needed to gain an understanding on how these devices function. In the past 2–3 years, with increased popularity of individuals wanting to use their own mobile devices to access sensitive information relating to the organisation, the role of IT employees has expanded yet again.

The security of mobile devices has become a top concern for many IT executives. The concern is further increased as the number of mobile devices coming in the next few years will outstrip IT's ability to keep the enterprise secure. Kaspersky (2012) and Staut (2012) indicated that the average employee uses more than one mobile device to access the corporate network. Bring Your Own Device therefore brings IT and security departments the challenge of having to implement and manage mobile security across an almost limitless range of devices and operating systems.

Rose (2012) stated that IT departments now have the responsibility of managing and securing a wide range of mobile devices that could be used to access their organisations' corporate data. Rose further stated in the same article that research conducted by Forrester indicates that employees choose their own smartphones 70% of the time, with 48% of the devices picked without regard for IT support. Anderson (2014) stated that devices are evolving so rapidly that it is impractical to pre-approve each and every device brand and form factor. He also indicated that it was somewhat impractical to expect IT organisations to have the same level of support for each and every device that employees may bring to the workplace.

Employees' mobile devices that have not been configured and locked down by the company IT department create the opportunity for infiltration of malware, gaps in the firewall and exfiltration of sensitive data. The risk is further increased as some corporations intentionally have open ports so that their employees can work in virtual environments. This is an opportunity for anyone on the Internet who wishes to access a corporation's information system in an unauthorised manner. Bring Your Own Device has changed the manner in which IT departments now function. They are now required to have detailed knowledge of various mobile devices which employees could use to access the organisation's network.