[BreachExchange] Bringing better security to BYOD
Audrey McNeil
audrey at riskbasedsecurity.com
Tue Feb 23 11:08:52 EST 2016
http://www.itproportal.com/2016/02/21/bringing-better-security-to-byod/
For most of us, our mobile and personal devices have become extensions of
our lives and even bodies. Most of us carry our smartphones with us all the
time, and when we can’t find them, we feel lost.
We are essentially always on, always connected to the Internet. This notion
of anytime, anywhere access has extended not only to our personal lives but
also our professional.
In the name of employee productivity, Bring Your Own Device (BYOD) policies
have become widespread and blurred the lines between our personal and
corporate lives. Employees bringing their personal devices into
work-related activities and communications both inside and outside of
regular working hours have become the norm practice.
So why are so many people hopping on the BYOD bandwagon in the first place?
1. Increased productivity. The ability to log in and respond to emails or
work on documents, at any time of the day or night, from anywhere, has a
dramatic positive impact on productivity. According Forrester’s study on
“Mobile enterprise services improve flexibility, productivity, and ROI,”
“anytime, anywhere” access to the workplace enabled employees to gain 45-60
minutes a week.
2. Increased satisfaction. According to a study conducted by CapGemini
consulting’s study “Bring Your Own Device It’s all about Employee
Satisfaction and Productivity, not Costs,” employees feel more comfortable
working on their own devices. Abiding to this preference increases
employment flexibility and employee satisfaction.
3. Financial savings. Many BYOD policies require employees to cover their
own costs, enabling organisations to save on procurement and data plans.
Furthermore, people tend to upgrade their devices more often than
organisations. This enables organisations to benefit from newer, more
powerful devices with the latest features. However, these savings have been
found to be offset by the cost of managing BYOD programs.
4. Operational Agility. Organisations are better able to respond to the
needs of their global clients when employees are available to respond to
different time zones.
While BYOD brings satisfaction to customers’ employees and increases work
productivity for enterprises, it also opens up their network to security
risks. Employees are connecting their own devices – smartphones, tablets
and laptops – to the corporate network and leaving it open up to security
risks. Herein lays the enormous risk to workplaces. BYOD has become the
perfect portal to the corporate network. It opens the door to a plethora of
risks, including: ransomware of corporate data, collection of sensitive
authentication data (later used for targeted attacks), and a bridge to
highly secured, air-gapped networks.
As more companies embrace the accessibility benefits of BYOD policies, it’s
vital to remember the dangerous security implications BYOD also brings. The
trick to keeping BYOD productivity, while ensuring corporate security, is
to first understand the current limitations of BYOD devices and policies
before applying a solution. Some of the most common BYOD dangers include:
1. Cyber threats from unsecured networks. Logging in to the organisation’s
network outside the secured perimeter of the organisation exposes the
employee’s device and the entire organisation’s network to cyber threats.
2. Cyber threats from applications. Employees might unknowingly download
malicious applications that can infiltrate the organisation’s network via
the device.
3. Data loss. Devices might get stolen or data could be wiped out.
Therefore, a network backup policy and infrastructure must be set to avoid
critical data losses.
4. Data retrieval upon termination of employment. A company must have a
policy in place to retrieve information from an employee’s device once
their employment has ended.
Once this first step is taken, enterprises know their pain points and can
apply security measures in a manner that best benefits the business. Until
now, organisations had to weigh the pros and cons carefully to decide
whether the benefits of BYOD policies are worth the risks.
Rather than simply banning employees from BYOD workflow or leaving the
enterprise network wide open for cyber criminals, below are several tips to
help enterprises improve their BYOD security without trading enterprise
productivity
1. Define the level of access to corporate data that employees have on
their personal devices, depending on their role and device: unlimited
access, access to non-sensitive data only, access with IT control over the
device and stored data, etc.
2. Educate employees about the risks when working outside the company’s
protected environment (e.g. using unsecure Wi-Fi in a café), as well as
best practices on device usage (e.g. password protection, back-ups, OS
updates, etc.).
3. Ensure that corporate data is backed up in the organisation’s network
and that employees are not using jailbroken smartphones, which are more
exposed to malicious applications. Identify your “crown jewels:” the type
of data that can be attractive to hackers, and “place them in a safe” by
setting up safety procedures regarding access, storage, and back-ups of
that particular information.
4. Encrypt your data as it is worthwhile investing in encryption
technologies to protect valuable data and render it useless, or at least
lower its value through layering its accessibility.
5. Conduct vulnerability assessment & penetration testing on the network
and the applications from the technical side. You should conduct a
vulnerability assessment to discover the flaws in your system. Once you
have identified the flaws that can be exploited, conduct penetration
testing to carry out attack simulated scenarios, gain an in-depth
understanding of its degree of severity and how it can be remediated to
avoid a real-life exploitation.
As hackers and cyber-attacks get more sophisticated and creative, it’s a
matter of time before major hacks on mobile devices hit the headlines.
As more companies embrace the benefits of BYOD workflows, cybersecurity
solutions must break the paradigm and offer innovative solutions that can
deliver protection without affecting enterprise productivity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160223/8f73e59a/attachment-0001.html>
More information about the BreachExchange
mailing list