Tech Watch: Balancing BYOD and physical security

July 8, 2013
How to ensure your company stays safe in the ever-changing world of mobile communications

In today’s competitive and connected workforce, many companies provide employees the freedom to use their personal mobile devices to access company resources.  The millennial generation has accelerated this trend, known as Bring Your Own Device (BYOD), based on their experience in an education system that adopted this approach years ago. 

Companies have learned some valuable lessons from higher education - not just in recruiting and retention but also understanding how BYOD affects their bottom line.  Gone are the days of the corporate-issued Blackberry since companies no longer have to purchase computing resources if prospective employees want to use their own smartphone or laptop.

Increasing the bottom line with a happy and more productive workforce: What could go wrong? 

Today, people read their e-mail, take notes during meetings, modify spreadsheets, access company contacts and communicate with partners, vendors and customers all on a device that the company technically doesn’t own.  The information accessed and, in many cases, stored is the legal property of the business, but at the same time the device typically stores personal information and applications as well.  Clearly there is a glaring information security risk should the wrong person gain access to this data, but what does this have to do with physical security?  

Mobile Apps, meet Physical Security

It didn’t take long for the security industry to embrace mobile computing application development and extend operational capabilities of their systems with mobile devices.  As early as 2010, manufacturers were in development of access control systems that use digital keys embedded in mobile devices to open doors.  This technology makes sense for one major reason: How many times has an employee left their badge at home versus their mobile phone?  Additionally, it is considered basic functionality for intrusion detection and alarm systems to have a smartphone interface that enables the user to arm, disarm, view logs and receive notifications of intrusions via a mobile device. And following on the consumer trend of watching videos on smartphones and tablets, VMS companies launched remote monitoring apps that enable users to view, control, record and share video from installed cameras. While the BYOD trend using these physical security applications can make security personnel more efficient, effective and, ultimately, safer, the technology can expose employers to increased risk.

The Technology Behind the Innovation

Near Field Communication (NFC) is a protocol that enables devices to share data when in proximity to another device.  You might have seen commercials for smartphones that show people "bumping" their devices together to transmit data such as pictures or contact information.  This same technology can be used by card readers to receive a digital key that is provisioned to an employee’s mobile phone.  That key is stored in a proprietary application from the access control manufacturer that was installed on the mobile device.  The user simply opens the application, "bumps" the card reader and unlocks the door. 

NFC is an open standard that was ratified by the IEEE in 2008, but not all mobile manufacturers support it.  The most popular smartphone in the world, the iPhone, does not support NFC; however, you can purchase a case that is NFC-enabled if you are an Apple diehard.  These applications rely on a two factor identification method through the digital key embedded in the device and the password that should be used to unlock the device before launching the program (more on this later).

Interfacing with other physical security systems is typically done using a proprietary Application Programming Interface (API), which is transported using Hypertext Transfer Protocol (HTTP).  The proprietary nature of the individual systems requires the user to download different applications to control the alarm panel, intrusion detection, access control and video management systems.  This silo approach to application interfaces will continue until interoperability standards become more widespread.  For instance, on the video side, an ONVIF-compliant mobile viewer could enable a security practitioner to view cameras across multiple manufacturers.   

The Inherent Risk of Mobile Computing: Where’s my Phone?

Most can relate to the panic felt when you think you lost your mobile phone.  You call the number and start walking around the house hoping to hear that familiar ringtone. This is such a common dilemma that there are applications that enable owners to locate, lock or erase the phone remotely from another computer if it’s lost. 

BYOD companies have even more to lose should a device that has confidential information be compromised as a result of an employee losing their phone or worse, have it stolen in a targeted attempt to gain access to company information.   Most mobile applications rely on the password lock feature of mobile devices.  The end result is that the strength of password is all that lies between unauthorized users from gaining access to all the applications on a device. 

Passwords come in many different flavors, from 4 digit PIN codes to 10-12 digit code or higher; alphanumeric combinations that require upper and lowercase combinations with special characters, generally referred to as "strong passwords."  When you think of the information that can be accessed, let alone the ability to physically compromise a facility with a smartphone, you would hope that employees use strong passwords to protect their BYODs. 

In reality, this is often not the case despite typical company policies on the matter.  Imagine having to type in "T1ab3%o0wp" in order to tell your spouse that you are picking up sushi on the way home from work.  Thus, in many case, employees use a simple 4-digit password or disable password protection all together.  A recent survey from McAfee claims that a third of smartphone users don’t password protect their devices at all.  Not only are sensitive company emails and documents now accessible, but if the employee’s company uses NFC for access control, the thief now has a key to the building.

BYOD Best Practices

Before giving your employees free reign to use whatever device they feel completes them, make sure to confer with IT management. They hopefully have developed a BYOD policy with proper security procedures.  At a very basic level, the employee should sign a disclosure statement that informs them of the BYOD policy - which at a minimum should include the use of strong passwords.  The BYOD policy should also make it clear that company information is the property of the organization and should be returned or deleted if the employee leaves the company. 

Taking it a step further, there are technology solutions that ensure company information is kept secure in the event of a lost phone or if a disgruntled employee leaves for a competitor.  Mobile Device Management (MDM) software solutions offer varying levels of control that help secure content and force compliance for users.  Some of the functionality includes over the air distribution and configuration of applications, compliance management of passwords and, in extreme cases, remote lock and erase of data or applications. 

That being said, companies need to tread carefully when considering deleting information on employee-owned devices.  There are several lawsuits surrounding this practice where an employee’s personal photos, contacts and information were locked or deleted due to non-compliance of corporate policy.  When possible, your BYOD policy should give the employee notice by stating clearly which applications and information would be deleted should the need arise.  Many MDM platforms offer this ability to selectively delete only those applications and information that are company property.

BYOD: The Right Applications for the Right People

Despite its potential security challenges, BYOD brings freedom of choice to a generation of skilled workers who expect business applications to coincide with the likes of Pinterest and Instagram.  With the right tools, this trend will not only improve efficiency, but it directly impacts the bottom line – not to mention providing first responders, law enforcement and security personnel with critical situational awareness in an emergency situation.

While the millennials are driving BYOD adoption, old dogs can learn plenty of new tricks while teaching others to obey proper BYOD policies.

About the author: James Marcella has been a technologist in the security and IT industries for more than 18 years. He is currently the director of technical services for Axis Communications.