Managing the Risks - BYOD: Bring Your Own Device

Managing the Risks

BYOD: Bring Your Own Defense

  • By Fraser Thomas
  • Nov 03, 2014

The impact of flexibility when working through BYOD on businesses, where an employee is able to access the corporate network anywhere, anytime, has brought many benefits—increased productivity, less wasted time on travel and saving on overhead. Such a rapid cultural shift in traditional working practices, as witnessed by organizations across the country, has left many vulnerable and, in some cases, dangerously unaware.

The fact is that any employee using a personal mobile device to access corporate data represents a potential compromise to corporate security. Dimension Data recently reported that 82 percent of global organizations have embraced BYOD, but less than half have established an accompanying security policy. With the Ponemon Institute’s “2014 Cost of a Data Breach” study revealing that the average total cost of a company data breach is $3.5 million—a rise of 15 percent compared to the 2013 study—it is essential that businesses take control of BYOD today, before it has control over them.

Main BYOD Security Issues

Companies must become educated about the security issues surrounding BYOD as well as take inventory of their employees’ BYOD practices. This way, effective policies and procedures can be created to define proper security around all aspects of BYOD. Therefore, companies should analyze the following issues in terms of their work culture:

Who exactly is accessing the network? More than 90 percent of workers in the United States are using their personal smartphones for work purposes. In turn, companies are finding it increasingly difficult to keep tabs on all these devices that are seeking access to their networks, and when and how employees are accessing corporate data. With almost 60 percent of U.S. employees admitting that they are not concerned about the security of their workplace systems, how can businesses trust that their data is safe?

If you build a new door, strangers will come knocking: The provision of any wireless gateway into the corporate network invites connections from outside, beyond the control and protection of the secure, fixed network perimeter. Therefore, this point of entry is exposed to all manner of network villains from viruses and Trojans in popular circulation to the targeted attention of cybercriminals, not to mention the failings of an absent-minded employee who may leave his or her device in the coffee shop or on the train. Multiply these threats by the number of devices that have access to a corporate network and the risks start to become clear.

The popularity of consumer-driven devices: By definition, BYOD favors popular, consumer-led devices, most of which are not built with enterprise-class network security in mind. The default, out-of-thebox intruder prevention settings on these devices do not meet today’s business requirements, regardless of whether the intruder is trying to hack-in remotely or has the targeted device in their possession. Additionally, most consumers opt for mobile device settings which favor convenience over security. Even though many mobile handset manufacturers are wising up to the needs of the enterprise, most still have a long way to go before they can claim to be watertight.

A network is only as strong as its weakest link: Recent statistics reveal that 44.2 percent of Americans log-in to their corporate systems remotely via a username and password (UNP). Considered alongside the admission that one in five U.S. employees reuse the same password across personal and corporate systems, the alarm bells should already be ringing. Under such circumstances, it may only take one employee’s personal password to be hacked for unauthorized network access to be gained, compromising the entire network and all of the sensitive data held within.

With almost-weekly headlines of largescale data breaches across the United States and the rest of the world, the same passwords used to access your network could be sitting in a hacker’s stockpile, just waiting to be used. Threats to passwordprotected networks are only heightened by the sheer number of access points afforded by a BYOD culture.

Usability of apps: The demand for fast and convenient access to network data has led to a rise in the use of mobile apps as an alternative to web browsers. Popular email and business cloud platforms can be easily accessed by a mobile app, which does not require any authentication. It is quite shocking to know that once “active sync” is enabled on a business owner’s tablet, for example, he or she can have instant access to corporate data via their unmanaged device. The same goes for employees, too. Once the email settings have been configured and access details shared, anyone can access their email from any device, as can anyone else who knows the settings or gets their hands on one of those devices.

Also, popular with today’s workers are personal cloud applications, like Dropbox, that offer a simple and user-friendly solution for employees to keep whatever they’re working on within easy reach. These apps are password protected and easily accessed from a mobile device, enabling files to be quickly shared between users. For data loss, however, these apps could be catastrophic. When a file is shared, control over the content is automatically lost and it can be freely shared with others. What’s more, you do not receive any notification that this has happened.

Next Steps in BYOD Security

Sixty-seven percent of people use personal devices at work, regardless of the office’s official BYOD policy. Business owners and IT decision makers must accept that if employee demands for convenience go unmet, many will find their own independent ways of accessing corporate data, often without due consideration to network security. Businesses should take full ownership and control of the protection of their corporate data, but it must to be done in a way that their employees can handle.

It goes without saying, then, that workers should be governed by a BYOD policy. An effective internal policy should include:

  • A comprehensive review of internal user access policies;
  • a clear charter clarifying what data can and cannot be accessed from a mobile device;
  • guidance on how to change and manage device security settings; and
  • the introduction of a strong authentication method that goes beyond UNPs.

Workable BYOD needs to have boundaries. In today’s web-centric world, a user’s authentication is largely dictated by their Facebook experience, where access to an account is instantaneous, providing you have loggedin once on a particular device. Employees expect to have the same immediate access in the corporate world, as well, and be able access whatever they want, when they need it.

Data is the most valuable thing a company owns, but the importance of the data held in a corporate system varies. A sensible approach to BYOD and remote access authentication therefore should begin with a clear division between business-critical and less-important data. Organizations can define the access control parameters that work the best for their business structure by keeping the gateways to certain information accessible only to those with the right permissions.

Such an approach goes some way in resolving the nonchalant attitudes of employees to workplace security. Instead of simply tapping a mobile app or inputting a familiar UNP, something they offer up multiple times a day without thought, an individual will be required to stop and consider the action they are about to undertake and, as a result, the risk factor associated with it. The use of authentication signals to the user that they are shifting from a lowrisk to a high-risk environment. All of this can be achieved by turning an employee’s personal device into a virtual token connected to a dedicated, multifactor authentication platform so that the credentials of every individual trying to connect can be verified and the appropriate level of access granted. Because it puts the user right at the heart of the authentication process, they remain both engaged and informed. This will go a long way to appease the reservations of a cloud-fearing board of directors.

Requiring users to engage with stronger authentication models, based on a risk-accessed protocol, via their own devices will drive familiarity and, more importantly, considered actions from employees.

This article originally appeared in the November 2014 issue of Security Today.

Featured

  • It's Show Time

    I am one of those people that likes to see things get bigger and better. As advertised, ISC West is going to be bigger (more exhibitors) and better (more attendees). It’s show time in Las Vegas. Read Now

    • Industry Events
    • ISC West

  • SIA Releases New Report on Operational Security Technology

    The Security Industry Association (SIA) has released an impactful new resource – Operational Security Technology: Principles, Challenges and Achieving Mission-Critical Outcomes Leveraging OST. Read Now

  • Cyber Overconfidence Is Leaving Your Organization Vulnerable

    The increased sophistication of cyber threats pumped by the relentless use of AI and machine learning brings forth record-breaking statistics. Cyberattacks grew 44% YoY in 2024, with a weekly average of 1,673 cyberattacks per organization. While organizations up their security game to help thwart these attacks, a critical question remains: Can employees identify a threat when they come across one? A Confidence Gap survey reveals that 86% of employees feel confident in their ability to identify phishing attempts. But things are not as rosy as they appear; the more significant part of the report finds this confidence misplaced. Read Now

  • Mission 500 Debuts Refreshed Identity Ahead of Security 5K/2K at ISC West

    Mission 500, the security industry’s nonprofit charity dedicated to supporting children in need across the US, Canada, and Puerto Rico, has unveiled a refreshed brand identity ahead of ISC West. The charity’s new look includes a modernized logo with refined messaging to reinforce Mission 500’s nearly decade-long commitment to serving the needs of children and families in crisis. Read Now

    • Industry Events
Most   Popular

New Products

  • HD2055 Modular Barricade

    Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation.

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols.

  • 4K Video Decoder

    3xLOGIC’s VH-DECODER-4K is perfect for use in organizations of all sizes in diverse vertical sectors such as retail, leisure and hospitality, education and commercial premises.