Managing the Risks - BYOD: Bring Your Own Device

Managing the Risks

BYOD: Bring Your Own Defense

The impact of flexibility when working through BYOD on businesses, where an employee is able to access the corporate network anywhere, anytime, has brought many benefits—increased productivity, less wasted time on travel and saving on overhead. Such a rapid cultural shift in traditional working practices, as witnessed by organizations across the country, has left many vulnerable and, in some cases, dangerously unaware.

The fact is that any employee using a personal mobile device to access corporate data represents a potential compromise to corporate security. Dimension Data recently reported that 82 percent of global organizations have embraced BYOD, but less than half have established an accompanying security policy. With the Ponemon Institute’s “2014 Cost of a Data Breach” study revealing that the average total cost of a company data breach is $3.5 million—a rise of 15 percent compared to the 2013 study—it is essential that businesses take control of BYOD today, before it has control over them.

Main BYOD Security Issues

Companies must become educated about the security issues surrounding BYOD as well as take inventory of their employees’ BYOD practices. This way, effective policies and procedures can be created to define proper security around all aspects of BYOD. Therefore, companies should analyze the following issues in terms of their work culture:

Who exactly is accessing the network? More than 90 percent of workers in the United States are using their personal smartphones for work purposes. In turn, companies are finding it increasingly difficult to keep tabs on all these devices that are seeking access to their networks, and when and how employees are accessing corporate data. With almost 60 percent of U.S. employees admitting that they are not concerned about the security of their workplace systems, how can businesses trust that their data is safe?

If you build a new door, strangers will come knocking: The provision of any wireless gateway into the corporate network invites connections from outside, beyond the control and protection of the secure, fixed network perimeter. Therefore, this point of entry is exposed to all manner of network villains from viruses and Trojans in popular circulation to the targeted attention of cybercriminals, not to mention the failings of an absent-minded employee who may leave his or her device in the coffee shop or on the train. Multiply these threats by the number of devices that have access to a corporate network and the risks start to become clear.

The popularity of consumer-driven devices: By definition, BYOD favors popular, consumer-led devices, most of which are not built with enterprise-class network security in mind. The default, out-of-thebox intruder prevention settings on these devices do not meet today’s business requirements, regardless of whether the intruder is trying to hack-in remotely or has the targeted device in their possession. Additionally, most consumers opt for mobile device settings which favor convenience over security. Even though many mobile handset manufacturers are wising up to the needs of the enterprise, most still have a long way to go before they can claim to be watertight.

A network is only as strong as its weakest link: Recent statistics reveal that 44.2 percent of Americans log-in to their corporate systems remotely via a username and password (UNP). Considered alongside the admission that one in five U.S. employees reuse the same password across personal and corporate systems, the alarm bells should already be ringing. Under such circumstances, it may only take one employee’s personal password to be hacked for unauthorized network access to be gained, compromising the entire network and all of the sensitive data held within.

With almost-weekly headlines of largescale data breaches across the United States and the rest of the world, the same passwords used to access your network could be sitting in a hacker’s stockpile, just waiting to be used. Threats to passwordprotected networks are only heightened by the sheer number of access points afforded by a BYOD culture.

Usability of apps: The demand for fast and convenient access to network data has led to a rise in the use of mobile apps as an alternative to web browsers. Popular email and business cloud platforms can be easily accessed by a mobile app, which does not require any authentication. It is quite shocking to know that once “active sync” is enabled on a business owner’s tablet, for example, he or she can have instant access to corporate data via their unmanaged device. The same goes for employees, too. Once the email settings have been configured and access details shared, anyone can access their email from any device, as can anyone else who knows the settings or gets their hands on one of those devices.

Also, popular with today’s workers are personal cloud applications, like Dropbox, that offer a simple and user-friendly solution for employees to keep whatever they’re working on within easy reach. These apps are password protected and easily accessed from a mobile device, enabling files to be quickly shared between users. For data loss, however, these apps could be catastrophic. When a file is shared, control over the content is automatically lost and it can be freely shared with others. What’s more, you do not receive any notification that this has happened.

Next Steps in BYOD Security

Sixty-seven percent of people use personal devices at work, regardless of the office’s official BYOD policy. Business owners and IT decision makers must accept that if employee demands for convenience go unmet, many will find their own independent ways of accessing corporate data, often without due consideration to network security. Businesses should take full ownership and control of the protection of their corporate data, but it must to be done in a way that their employees can handle.

It goes without saying, then, that workers should be governed by a BYOD policy. An effective internal policy should include:

  • A comprehensive review of internal user access policies;
  • a clear charter clarifying what data can and cannot be accessed from a mobile device;
  • guidance on how to change and manage device security settings; and
  • the introduction of a strong authentication method that goes beyond UNPs.

Workable BYOD needs to have boundaries. In today’s web-centric world, a user’s authentication is largely dictated by their Facebook experience, where access to an account is instantaneous, providing you have loggedin once on a particular device. Employees expect to have the same immediate access in the corporate world, as well, and be able access whatever they want, when they need it.

Data is the most valuable thing a company owns, but the importance of the data held in a corporate system varies. A sensible approach to BYOD and remote access authentication therefore should begin with a clear division between business-critical and less-important data. Organizations can define the access control parameters that work the best for their business structure by keeping the gateways to certain information accessible only to those with the right permissions.

Such an approach goes some way in resolving the nonchalant attitudes of employees to workplace security. Instead of simply tapping a mobile app or inputting a familiar UNP, something they offer up multiple times a day without thought, an individual will be required to stop and consider the action they are about to undertake and, as a result, the risk factor associated with it. The use of authentication signals to the user that they are shifting from a lowrisk to a high-risk environment. All of this can be achieved by turning an employee’s personal device into a virtual token connected to a dedicated, multifactor authentication platform so that the credentials of every individual trying to connect can be verified and the appropriate level of access granted. Because it puts the user right at the heart of the authentication process, they remain both engaged and informed. This will go a long way to appease the reservations of a cloud-fearing board of directors.

Requiring users to engage with stronger authentication models, based on a risk-accessed protocol, via their own devices will drive familiarity and, more importantly, considered actions from employees.

This article originally appeared in the November 2014 issue of Security Today.

Featured

  • Freedom of Choice

    In today's security landscape, we are witnessing a fundamental transformation in how organizations manage digital evidence. Law enforcement agencies, campus security teams, and large facility operators face increasingly complex challenges with expanding video data, tightening budget constraints and inflexible systems that limit innovation. Read Now

  • Accelerating a Pathway

    There is a new trend touting the transformational qualities of AI’s ability to deliver actionable data and predictive analysis that in many instances, seems to be a bit of an overpromise. The reality is that very few solutions in the cyber-physical security (CPS) space live up to this high expectation with the one exception being the new generation of Physical Identity and Access Management (PIAM) software – herein recategorized as PIAM+. Read Now

  • Protecting Your Zones

    It is game day. You can feel the crowd’s energy. In the parking lot. At the gate. In the stadium. On the concourse. Fans are eager to party. Food and merchandise vendors ready themselves for the rush. Read Now

  • Street Smarts

    The ongoing acceptance of AI and advanced data analytics has allowed surveillance camera technology to shift from being a tactical tool to a strategic business solution. Combining traditional surveillance technology with AI-based data-driven insights can streamline transportation systems, enhance traffic management, improve situational awareness, optimize resource allocation and streamline emergency response procedures. Read Now

  • Midtown Manhattan Shooting Kills 4, Including NYPD Officer

    Four people were killed, including a NYPD officer, in a midtown Manhattan shooting on Monday. That’s according to CNN. Read Now

New Products

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame.

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols.

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions.