Managing the Risks

BYOD: Bring Your Own Defense

• By Fraser Thomas
• Nov 03, 2014

The impact of flexibility when working through BYOD on businesses, where an employee is able to access the corporate network anywhere, anytime, has brought many benefits—increased productivity, less wasted time on travel and saving on overhead. Such a rapid cultural shift in traditional working practices, as witnessed by organizations across the country, has left many vulnerable and, in some cases, dangerously unaware.

The fact is that any employee using a personal mobile device to access corporate data represents a potential compromise to corporate security. Dimension Data recently reported that 82 percent of global organizations have embraced BYOD, but less than half have established an accompanying security policy. With the Ponemon Institute’s “2014 Cost of a Data Breach” study revealing that the average total cost of a company data breach is $3.5 million—a rise of 15 percent compared to the 2013 study—it is essential that businesses take control of BYOD today, before it has control over them.

Main BYOD Security Issues

Companies must become educated about the security issues surrounding BYOD as well as take inventory of their employees’ BYOD practices. This way, effective policies and procedures can be created to define proper security around all aspects of BYOD. Therefore, companies should analyze the following issues in terms of their work culture:

Who exactly is accessing the network? More than 90 percent of workers in the United States are using their personal smartphones for work purposes. In turn, companies are finding it increasingly difficult to keep tabs on all these devices that are seeking access to their networks, and when and how employees are accessing corporate data. With almost 60 percent of U.S. employees admitting that they are not concerned about the security of their workplace systems, how can businesses trust that their data is safe?

If you build a new door, strangers will come knocking: The provision of any wireless gateway into the corporate network invites connections from outside, beyond the control and protection of the secure, fixed network perimeter. Therefore, this point of entry is exposed to all manner of network villains from viruses and Trojans in popular circulation to the targeted attention of cybercriminals, not to mention the failings of an absent-minded employee who may leave his or her device in the coffee shop or on the train. Multiply these threats by the number of devices that have access to a corporate network and the risks start to become clear.

The popularity of consumer-driven devices: By definition, BYOD favors popular, consumer-led devices, most of which are not built with enterprise-class network security in mind. The default, out-of-thebox intruder prevention settings on these devices do not meet today’s business requirements, regardless of whether the intruder is trying to hack-in remotely or has the targeted device in their possession. Additionally, most consumers opt for mobile device settings which favor convenience over security. Even though many mobile handset manufacturers are wising up to the needs of the enterprise, most still have a long way to go before they can claim to be watertight.

A network is only as strong as its weakest link: Recent statistics reveal that 44.2 percent of Americans log-in to their corporate systems remotely via a username and password (UNP). Considered alongside the admission that one in five U.S. employees reuse the same password across personal and corporate systems, the alarm bells should already be ringing. Under such circumstances, it may only take one employee’s personal password to be hacked for unauthorized network access to be gained, compromising the entire network and all of the sensitive data held within.

With almost-weekly headlines of largescale data breaches across the United States and the rest of the world, the same passwords used to access your network could be sitting in a hacker’s stockpile, just waiting to be used. Threats to passwordprotected networks are only heightened by the sheer number of access points afforded by a BYOD culture.

Usability of apps: The demand for fast and convenient access to network data has led to a rise in the use of mobile apps as an alternative to web browsers. Popular email and business cloud platforms can be easily accessed by a mobile app, which does not require any authentication. It is quite shocking to know that once “active sync” is enabled on a business owner’s tablet, for example, he or she can have instant access to corporate data via their unmanaged device. The same goes for employees, too. Once the email settings have been configured and access details shared, anyone can access their email from any device, as can anyone else who knows the settings or gets their hands on one of those devices.

Also, popular with today’s workers are personal cloud applications, like Dropbox, that offer a simple and user-friendly solution for employees to keep whatever they’re working on within easy reach. These apps are password protected and easily accessed from a mobile device, enabling files to be quickly shared between users. For data loss, however, these apps could be catastrophic. When a file is shared, control over the content is automatically lost and it can be freely shared with others. What’s more, you do not receive any notification that this has happened.

Next Steps in BYOD Security

Sixty-seven percent of people use personal devices at work, regardless of the office’s official BYOD policy. Business owners and IT decision makers must accept that if employee demands for convenience go unmet, many will find their own independent ways of accessing corporate data, often without due consideration to network security. Businesses should take full ownership and control of the protection of their corporate data, but it must to be done in a way that their employees can handle.

It goes without saying, then, that workers should be governed by a BYOD policy. An effective internal policy should include:

• A comprehensive review of internal user access policies;
• a clear charter clarifying what data can and cannot be accessed from a mobile device;
• guidance on how to change and manage device security settings; and
• the introduction of a strong authentication method that goes beyond UNPs.

Workable BYOD needs to have boundaries. In today’s web-centric world, a user’s authentication is largely dictated by their Facebook experience, where access to an account is instantaneous, providing you have loggedin once on a particular device. Employees expect to have the same immediate access in the corporate world, as well, and be able access whatever they want, when they need it.

Data is the most valuable thing a company owns, but the importance of the data held in a corporate system varies. A sensible approach to BYOD and remote access authentication therefore should begin with a clear division between business-critical and less-important data. Organizations can define the access control parameters that work the best for their business structure by keeping the gateways to certain information accessible only to those with the right permissions.

Such an approach goes some way in resolving the nonchalant attitudes of employees to workplace security. Instead of simply tapping a mobile app or inputting a familiar UNP, something they offer up multiple times a day without thought, an individual will be required to stop and consider the action they are about to undertake and, as a result, the risk factor associated with it. The use of authentication signals to the user that they are shifting from a lowrisk to a high-risk environment. All of this can be achieved by turning an employee’s personal device into a virtual token connected to a dedicated, multifactor authentication platform so that the credentials of every individual trying to connect can be verified and the appropriate level of access granted. Because it puts the user right at the heart of the authentication process, they remain both engaged and informed. This will go a long way to appease the reservations of a cloud-fearing board of directors.

Requiring users to engage with stronger authentication models, based on a risk-accessed protocol, via their own devices will drive familiarity and, more importantly, considered actions from employees.

This article originally appeared in the November 2014 issue of Security Today.