A model to enhance information security in the use of BYOD in Kenyan enterprises
In recent years there has been drastic increase in the adoption of mobile devices for computing use. This increase has been attributed mainly to the falling mobile devices prices that make these mobile devices within easy reach of the common man. Mobile technology is now redefining the boundaries between work life and personal life. Consequently enterprise owners, employers and managers are increasingly allowing employees to use their private devices to carry out work-related tasks and access internal company resources. This increasingly popular change that is sweeping across workplaces is referred to as Bring Your Own Device (BYOD). The adoption of BYOD has raised concerns which organizations have to address. The main challenge of adopting the BYOD concept is ensuring information security. Lack of information security costs enterprises millions every year. Several security models and technical infrastructures are already in place but have had limited success in exhaustively dealing with security risks and threats. This research involves a study of the different information security risks and threats and how they are currently being dealt with. It also looks at the different BYOD adoption and security models and proposes a hybrid model that attempts to fill gaps left out by previous models. A survey was carried out to find out the existing security models in place in 61 Kenyan enterprises to better realize what gaps need to be filled. Findings of the survey show that enterprises face a number of challenges with security of the mobile devices and the information and applications they access and carry being at the top of the list. The results also show that when it comes to implementing technical counter-measures, most organizations had implemented the traditional firewall to a large extent though the primary focus of a firewall is not in securing mobile devices but in securing server farms and system perimeters. Non-technical counter-measures such as user awareness or training and mobile device security policy had been implemented to a small extent. Most of the measures in place are not specific to mobile phone use at the work place and are therefore not effective in dealing with security issues related to the adoption of BYOD.