Could your BYOD system be a threat to your business?
Nowadays, practically everyone is connected to the Internet at home, in the office and on the move. This has introduced fantastic opportunities for businesses and employees to operate smarter. Bring Your Own Device (BYOD); the concept of allowing employees to work in the office or remotely using their own devices, rather than company owned, has been around for a while now and really makes the most of this 'personal device era'. It’s convenient for employees to use their own devices, reduces burden on IT admin and saves Capex costs for the business. But, could BYOD end up being the company’s biggest threat?
Employees now have the opportunity to use their own personal devices for work purposes. The thought behind this is that employees are already familiar with their own devices and already have them on hand at all times. BYOD is generally a good thing, but it is not without its challenges and concerns. Like any new development, the risks need to be evaluated. But, in theory, team members will be more productive and happier at work with a BYOD scheme in place.
Some pressing concerns
The areas of highest concern within the enterprise are: data leakage and loss, unauthorized access to company data and systems, downloading unsafe apps or content and malware.
BYOD has been around for a while, however, there are no universal set of guidelines for employers and employees to work too. But there are some best practices that security experts recommend.
My personal view is that the most pressing concerns with BYOD are those of network and security stability. Keeping your company’s private and sensitive data secure is one of your IT department’s biggest responsibilities and BYOD adds a new dimension to this ongoing struggle. As the workforce becomes more reliant on mobile devices, the floodgates of data leakage and threats open up, resulting in an even greater reliance on the IT department to secure mobile devices.
According to the Crowd Research Partners BYOD & Mobile Security 2016 Spotlight Report, it finds that: 72 percent of respondents are concerned with data leakage and loss, 56 percent with unauthorized access to company data and systems, 52 percent with downloading unsafe apps or content by users and 52 percent with malware.
Mobile phones and tablets are the weakest link when it comes to security and are prone to attacks. They also require regular patch updates, with the responsibility for these falling on employees. That leaves the impetus on organizations to implement policies and procedures that help employees keep their devices secure.
With employees carrying their devices all of the time, this means that these devices also have access to their employer’s network and secure data -- all the time. This means that a lost or stolen device is a potential threat. It also means that any malicious program hiding on a personal device now also has access to your company’s network and data. All it takes is one infected device to compromise the integrity of your network and data security. Through BYOD, CIOs can have less control over the mobile devices used in their organization, which ultimately means they are more vulnerable to attacks.
The Crowd Research Partners research also mentioned the threat of employees downloading mobile apps -- this I agree with. Employees can use these apps to connect to external Wi-Fi spots without having the correct security protocols in place. This creates serious security holes that can be exploited by hackers.
Coupled with the fact that your employees might not have anti-virus protection or have an up to date firewall present on their mobile devices, means they are more vulnerable to attacks. To prevent viruses from spreading, it is important that there is a gatekeeper like a VPN, which grants access by verifying that the data being transferred from the mobile device to your IT network is encrypted and permitted.
What can you do?
You must create a strategy for BYOD with a business case and a goal statement. As technology continues to advance and change the way we live and work, building a smart, flexible mobile strategy will allow companies to explore innovative ways to empower their workforce and drive greater productivity.
In addition, you must secure devices and apps by implementing an MDM solution, or other container-focused management utilities that will greatly help your organization in managing and securing the devices. The policies on the devices or within managed containers should be defined by the risk assessment.
You can also complement end-user and administrative security with more extensive network safety: the creation of multiple virtual routing and forwarding (VRF) and virtual switching instance (VSI) environments on the same physical infrastructure allows separate virtual LAN (VLANs) for traffic segregation, i.e. trusted vs untrusted traffic. This way, a BYOD smartphone can be contained on a VRF for user-owned devices, and any malware that may intrude upon it can be kept from infecting the most trusted environment that’s reserved for corporate-issued systems.
Here are steps you can take to ensure that information security won’t be needlessly impaired by the use of employees’ devices:
- Make sure users register their devices with your IT security professionals
- Require employees use PINs, passwords or patterns for data access
- Implement handset’s device-level encryption
- Set company guidelines, user policies and provide training
- Create enterprise-wide BYOD policies
Getting clever about BYOD
Making BYOD a success requires organizations to intelligently detect nefarious activity, like APTs, that enter the corporate environment courtesy of user-owned smartphones and tablets. Network behavioral analysis and machine learning solutions that monitor network activity and adapt to changing threat conditions are a wise investment in supporting BYOD initiatives.
With data loss, unauthorized access and malware are just some of the concerns around BYOD, you must make sure all devices are registered, device-level encryption is installed and user policies are established. Educating employees on how to protect their devices and ensuring they are configured in line with security policies ensures that even the basic security precautions are adopted.
One thing is for sure: There’s no time to waste getting more done. Citing BYOD as a driver of innovation, as well as device and service cost savings, Gartner has predicted that by next year, half of all businesses will require workers to use a personal device for work.
David Venable, Vice President of Cyber Security at Masergy Communications, has over 15 years experience in information security, with expertise in cryptography, network and application security, vulnerability assessments, penetration testing, and compliance. David is a former intelligence collector with the National Security Agency, with extensive experience in Computer Network Exploitation, Information Operations, and Digital Network Intelligence. He also served as adjunct faculty at the National Cryptologic School.