A guide to BYOD security
There are a great many benefits to implementing BYOD for universities, colleges, or higher education organizations. The use of BYO Devices has been shown to consistently improve student engagement, productivity, and can result in higher rates of retention. One of the few drawbacks to supporting BYOD is the security challenge it poses to IT departments.
One of the main reasons that BYOD has the potential to compromise security is that, by its very nature, it is designed to provide access to organizational resources from non-managed and un-trusted devices. If a full-rollout BYOD installation is doing its job, students and staff should be able to access permitted university networks or systems they would otherwise have access to on their personal devices, both on-site and off-site. There is no manual verification required from IT for each resource being accessed and, in combination, these two facets result in security weak points.
In order to mitigate threats to security, it is vital for IT to understand where, why, and how any risks may arise. So, in more detail, why is BYOD a security threat?
- Device loss or theft
- Data leakage
- Less control over devices than university-owned devices
Implementing BYOD requires IT to provide more methods of accessing university resources and to remove possible time, premise, geography, or device-based limitations for access. Naturally, this creates more opportunities for malicious hackers to attempt to gain access and otherwise tamper with digital university systems.
Allowing your students and faculty to use their own personal devices means welcoming a whole new wave of unvetted machines onto your network and systems. These devices have never been checked by IT and are not available to IT for any form of quarantine, diagnostics or fixes. It should be assumed that at least a portion of these machines will be infected with malware which may try to automatically infect or replicate itself on university computing resources. It is, however, worth noting that this is not a new threat, rather the familiar threat posed by USB flash storage devices in a slightly new, albeit more dangerous form.
Device loss or theft
The loss or theft of a device may grant access to university resources to whoever is newly in possession of that device. Whether they have malicious intentions or not, this is still a risk to security. This is compounded by contemporary ‘stay signed in’, SSO, or device-based verification options.
With a greater amount of data being transmitted to off-site devices, the risk of a data leak increases. This may be sensitive organizational data or the personal information of your users. While this risk does not necessarily increase with the use of cloud-hosted and SaaS-model technologies, the safety of this data does become more of an unknown quantity. With a BYOD policy implemented, protecting data security and student privacy becomes a more complex task.
Less control over devices than university-owned devices
In a similar vein to some of the points made under the ‘Malware’ heading, IT has less access to and less control over most of the devices used for study than any university-owned counterparts. This means that risks are harder to pre-empt, detect, diagnose, and address.
Knowing the potential security threats resulting from a BYOD implementation, what measures can we put in place to mitigate these threats before they become an issue? Much of the mitigation of IT security risks comes down to formal policy and following IT security best practices religiously. In greater detail, the following section will discuss how to prevent BYOD security threats.
- Implement a formal security policy
- Educate students on security policy – provide awareness of security risks
- Password policy and two-factor authentication
- Keep anti-virus software up to date
- Secure connection methods
- Continued assessment of security risks and updates to security policies
Implement a formal security policy
The first step to safeguarding IT security against risks introduced by BYOD is to create and implement a formal security policy that details specifically what users are and aren’t allowed to do when using university resources. This may cover things such as permitted domains, antivirus software requirements, actions to take if a machine is known to be infected, etc. This can also act as a disclaimer to protect all parties involved. This may come as part of a wider BYOD policy but it should also be fairly prominent as IT departments will want users to read this and base their usage behavior on it while accessing university resources.
Educate students on security policy
As mentioned, it is in the interest of all parties involved for students, faculty, and users, in general, to be educated on how to properly use university resources in order to minimize and avoid security threats. This may come as part of university onboarding sessions or be covered in all students’ initial lectures or seminars. There are many ways to approach this and it would be highly beneficial to provide education to students early on in their university careers and regularly throughout them.
Password policy and two factor-authentication
In order to reduce the risk to security of lost or stolen devices, a password policy and two-factor authentication (2FA) can act as very effective damage control when the inevitable does eventually happen. A password policy helps to prevent access to those with malicious intentions on lost/stolen devices and 2FA can help to reinforce this on devices where Single Sign-On (SSO) or ‘remember my details’ options are enabled.
Keep anti-virus software up to date
This applies to both university-owned anti-virus software for use on IT-managed networks and hardware and to the consumer-level software that is likely present on the majority of student and faculty BYO devices. IT should aim to keep defensive software up to date at all times and should remind users to do the same. The school might even be able to provide access to higher-grade anti-virus software to users in order to bolster security and protect digital resources from all sides.
This will also help to keep the support demand on IT as low as possible by circumventing many occasions which may have otherwise resulted in users needing help with malware-infected BYO devices.
Secure connection methods
There are a few methods of securely connecting to networks and servers, most of which involve encrypting data or rerouting signals through virtual private networks, or VPNs. While this is a hotly discussed topic with some contention in commercial software delivery, things differ slightly in higher education. With most universities’ digital resources and IT, in general, existing on a vastly larger scale than the majority of corporate organizations, there are many, many more opportunities for network connections to be exploited in order to gain access.
Similar to anti-virus software, it is worth at least considering VPNs as well as reminding users/students to use them for offsite access. You may even want to make a VPN compulsory in certain situations and providing them where needed.
It almost sounds counter-intuitive to impose restrictions in order to protect a program designed to increase resource access. However, in the correct places, it will help to strengthen security without affecting user-experience. Cross-faculty/course restrictions limits what each individual user can access and, in a way, helps to silo off departmental resources and isolate each department’s resources from other breaches in other departments.
If done correctly, this should not actually reduce access to university resources. For example, preventing students studying sports from accessing engineering software will improve security without being detrimental to the student experience.
Continued assessment of security risks and updates to security policies
Finally, in order to stay continuously on top of IT security with the elevated risks of BYOD access in play, IT will need to remain versatile and proactive. Malware, viruses, and hacking techniques are just like technology itself; perpetually evolving and growing more sophisticated. New safety and defensive technologies are created all the time and the latest advancements should be aimed for at all times.
To conclude, while BYOD can pose a security threat, threats can be mitigated using the best practices listed above to allow organizations and students to benefit from BYOD while reducing any threats to security as much as possible. To learn more about how best to implement software delivery to BYOD with IT security in mind, get in touch with us at firstname.lastname@example.org.
Some useful & related reading...
Welcome to your guide to understanding the commercial benefits and solutions of BYOD without getting too caught up in the technical details...
The ultimate guide to BYOD and off-campus access covers all aspects delivering software to student-owned devices, from the benefits of enabling, to the...
BYOD is a much sought after goal of higher education IT. But what is it and how can it benefit university business and student outcomes?
A BYOD policy is the first step toward ensuring the success of any BYOD program, but what should these policies cover?
Which devices are most appropriate for BYOD and which are limited? Read our breakdown of devices for higher education BYOD policies.
Everything you need to know about delivering academic apps to student-owned devices