How to improve security in a BYOD enterprise environment
For most of us, our mobile and personal devices have become extensions of our lives and even bodies. Most of us carry our smartphones with us all the time, and when we can’t find them, we feel lost.
We are essentially always on, always connected to the Internet. This notion of anytime, anywhere access has extended not only to our personal lives but also our professional.
In the name of employee productivity, bring-your-own-device (BYOD) policies have become widespread and blurred the lines between our personal and corporate lives. Employees bringing their personal devices into work-related activities and communications both inside and outside of regular working hours have become the norm practice.
So why are so many people hopping on the BYOD bandwagon in the first place?
- Increased productivity. The ability to log in and respond to emails or work on documents, at any time of the day or night, from anywhere, has a dramatic positive impact on productivity. According Forrester’s study on Mobile enterprise services improve flexibility, productivity, and ROI, "anytime, anywhere" access to the workplace enabled employees to gain 45-60 minutes a week.
- Increased satisfaction. According to a study conducted by CapGemini, Bring Your Own Device It’s all about Employee Satisfaction and Productivity, not Costs, employees feel more comfortable working on their own devices. Abiding to this preference increases employment flexibility and employee satisfaction.
- Financial savings. Many BYOD policies require employees to cover their own costs, enabling organizations to save on procurement and data plans. Furthermore, people tend to upgrade their devices more often than organizations. This enables organizations to benefit from newer, more powerful devices with the latest features. However, these savings have been found to be offset by the cost of managing BYOD programs.
- Operational Agility. Organizations are better able to respond to the needs of their global clients when employees are available to respond to different time zones.
While BYOD brings satisfaction to customers’ employees and increases work productivity for enterprises, it also opens up their network to security risks. Employees are connecting their own devices -- smartphones, tablets and laptops -- to the corporate network and leaving it open up to security risks.
Herein lays the enormous risk to workplaces. BYOD has become the perfect portal to the corporate network. It opens the door to a plethora of risks, including: ransomware of corporate data, collection of sensitive authentication data (later used for targeted attacks), and a bridge to highly secured, air-gapped networks.
As more companies embrace the accessibility benefits of BYOD policies, it’s vital to remember the dangerous security implications BYOD also brings. The trick to keeping BYOD productivity, while ensuring corporate security, is to first understand the current limitations of BYOD devices and policies before applying a solution. Some of the most common BYOD dangers include:
- Cyber threats from unsecured networks. Logging in to the organization’s network outside the secured perimeter of the organization exposes the employee’s device and the entire organization’s network to cyber threats.
- Cyber threats from applications. Employees might unknowingly download malicious applications that can infiltrate the organization’s network via the device.
- Data loss. Devices might get stolen or data could be wiped out. Therefore, a network backup policy and infrastructure must be set to avoid critical data losses.
- Data retrieval upon termination of employment. A company must have a policy in place to retrieve information from an employee’s device once their employment has ended.
Once this first step is taken, enterprises know their pain points and can apply security measures in a manner that best benefits the business. Until now, organizations had to weigh the pros and cons carefully to decide whether the benefits of BYOD policies are worth the risks.
Rather than simply banning employees from BYOD workflow or leaving the enterprise network wide open for cyber criminals, below are several tips to help enterprises improve their BYOD security without trading enterprise productivity
- Define the level of access to corporate data that employees have on their personal devices, depending on their role and device: unlimited access, access to non-sensitive data only, access with IT control over the device and stored data, etc.
- Educate employees about the risks when working outside the company’s protected environment (e.g. using unsecure Wi-Fi in a café), as well as best practices on device usage (e.g. password protection, back-ups, OS updates, etc.).
- Ensure that corporate data is backed up in the organization’s network and that employees are not using jailbroken smartphones, which are more exposed to malicious applications. Identify your 'crown jewels": the type of data that can be attractive to hackers, and "place them in a safe" by setting up safety procedures regarding access, storage, and back-ups of that particular information.
- Encrypt your data as it is worthwhile investing in encryption technologies to protect valuable data and render it useless, or at least lower its value through layering its accessibility.
- Conduct vulnerability assessment and penetration testing on the network and the applications from the technical side. You should conduct a vulnerability assessment to discover the flaws in your system. Once you have identified the flaws that can be exploited, conduct penetration testing to carry out attack simulated scenarios, gain an in-depth understanding of its degree of severity and how it can be remediated to avoid a real-life exploitation.
As hackers and cyber-attacks get more sophisticated and creative, it’s a matter of time before major hacks on mobile devices hit the headlines.
As more companies embrace the benefits of BYOD workflows, cybersecurity solutions must break the paradigm and offer innovative solutions that can deliver protection without affecting enterprise productivity.
Guy Caspi, CEO of Deep Instinct.
Published under license from ITProPortal.com, a Net Communities Ltd Publication. All rights reserved.