Managing the Risks - BYOD: Bring Your Own Device

Managing the Risks

BYOD: Bring Your Own Defense

The impact of flexibility when working through BYOD on businesses, where an employee is able to access the corporate network anywhere, anytime, has brought many benefits—increased productivity, less wasted time on travel and saving on overhead. Such a rapid cultural shift in traditional working practices, as witnessed by organizations across the country, has left many vulnerable and, in some cases, dangerously unaware.

The fact is that any employee using a personal mobile device to access corporate data represents a potential compromise to corporate security. Dimension Data recently reported that 82 percent of global organizations have embraced BYOD, but less than half have established an accompanying security policy. With the Ponemon Institute’s “2014 Cost of a Data Breach” study revealing that the average total cost of a company data breach is $3.5 million—a rise of 15 percent compared to the 2013 study—it is essential that businesses take control of BYOD today, before it has control over them.

Main BYOD Security Issues

Companies must become educated about the security issues surrounding BYOD as well as take inventory of their employees’ BYOD practices. This way, effective policies and procedures can be created to define proper security around all aspects of BYOD. Therefore, companies should analyze the following issues in terms of their work culture:

Who exactly is accessing the network? More than 90 percent of workers in the United States are using their personal smartphones for work purposes. In turn, companies are finding it increasingly difficult to keep tabs on all these devices that are seeking access to their networks, and when and how employees are accessing corporate data. With almost 60 percent of U.S. employees admitting that they are not concerned about the security of their workplace systems, how can businesses trust that their data is safe?

If you build a new door, strangers will come knocking: The provision of any wireless gateway into the corporate network invites connections from outside, beyond the control and protection of the secure, fixed network perimeter. Therefore, this point of entry is exposed to all manner of network villains from viruses and Trojans in popular circulation to the targeted attention of cybercriminals, not to mention the failings of an absent-minded employee who may leave his or her device in the coffee shop or on the train. Multiply these threats by the number of devices that have access to a corporate network and the risks start to become clear.

The popularity of consumer-driven devices: By definition, BYOD favors popular, consumer-led devices, most of which are not built with enterprise-class network security in mind. The default, out-of-thebox intruder prevention settings on these devices do not meet today’s business requirements, regardless of whether the intruder is trying to hack-in remotely or has the targeted device in their possession. Additionally, most consumers opt for mobile device settings which favor convenience over security. Even though many mobile handset manufacturers are wising up to the needs of the enterprise, most still have a long way to go before they can claim to be watertight.

A network is only as strong as its weakest link: Recent statistics reveal that 44.2 percent of Americans log-in to their corporate systems remotely via a username and password (UNP). Considered alongside the admission that one in five U.S. employees reuse the same password across personal and corporate systems, the alarm bells should already be ringing. Under such circumstances, it may only take one employee’s personal password to be hacked for unauthorized network access to be gained, compromising the entire network and all of the sensitive data held within.

With almost-weekly headlines of largescale data breaches across the United States and the rest of the world, the same passwords used to access your network could be sitting in a hacker’s stockpile, just waiting to be used. Threats to passwordprotected networks are only heightened by the sheer number of access points afforded by a BYOD culture.

Usability of apps: The demand for fast and convenient access to network data has led to a rise in the use of mobile apps as an alternative to web browsers. Popular email and business cloud platforms can be easily accessed by a mobile app, which does not require any authentication. It is quite shocking to know that once “active sync” is enabled on a business owner’s tablet, for example, he or she can have instant access to corporate data via their unmanaged device. The same goes for employees, too. Once the email settings have been configured and access details shared, anyone can access their email from any device, as can anyone else who knows the settings or gets their hands on one of those devices.

Also, popular with today’s workers are personal cloud applications, like Dropbox, that offer a simple and user-friendly solution for employees to keep whatever they’re working on within easy reach. These apps are password protected and easily accessed from a mobile device, enabling files to be quickly shared between users. For data loss, however, these apps could be catastrophic. When a file is shared, control over the content is automatically lost and it can be freely shared with others. What’s more, you do not receive any notification that this has happened.

Next Steps in BYOD Security

Sixty-seven percent of people use personal devices at work, regardless of the office’s official BYOD policy. Business owners and IT decision makers must accept that if employee demands for convenience go unmet, many will find their own independent ways of accessing corporate data, often without due consideration to network security. Businesses should take full ownership and control of the protection of their corporate data, but it must to be done in a way that their employees can handle.

It goes without saying, then, that workers should be governed by a BYOD policy. An effective internal policy should include:

  • A comprehensive review of internal user access policies;
  • a clear charter clarifying what data can and cannot be accessed from a mobile device;
  • guidance on how to change and manage device security settings; and
  • the introduction of a strong authentication method that goes beyond UNPs.

Workable BYOD needs to have boundaries. In today’s web-centric world, a user’s authentication is largely dictated by their Facebook experience, where access to an account is instantaneous, providing you have loggedin once on a particular device. Employees expect to have the same immediate access in the corporate world, as well, and be able access whatever they want, when they need it.

Data is the most valuable thing a company owns, but the importance of the data held in a corporate system varies. A sensible approach to BYOD and remote access authentication therefore should begin with a clear division between business-critical and less-important data. Organizations can define the access control parameters that work the best for their business structure by keeping the gateways to certain information accessible only to those with the right permissions.

Such an approach goes some way in resolving the nonchalant attitudes of employees to workplace security. Instead of simply tapping a mobile app or inputting a familiar UNP, something they offer up multiple times a day without thought, an individual will be required to stop and consider the action they are about to undertake and, as a result, the risk factor associated with it. The use of authentication signals to the user that they are shifting from a lowrisk to a high-risk environment. All of this can be achieved by turning an employee’s personal device into a virtual token connected to a dedicated, multifactor authentication platform so that the credentials of every individual trying to connect can be verified and the appropriate level of access granted. Because it puts the user right at the heart of the authentication process, they remain both engaged and informed. This will go a long way to appease the reservations of a cloud-fearing board of directors.

Requiring users to engage with stronger authentication models, based on a risk-accessed protocol, via their own devices will drive familiarity and, more importantly, considered actions from employees.

This article originally appeared in the November 2014 issue of Security Today.


  • 12 Commercial Crime Sites to Do Your Research

    12 Commercial Crime Sites to Do Your Research

    Understanding crime statistics in your industry and area is crucial for making important decisions about your security budget. With so much information out there, how can you know which statistics to trust? Read Now

  • Cybersecurity Awareness Month: Top Five Action Items to Elevate Your Data Security Posture Management and Secure Your Data

    October is Cybersecurity Awareness Month, and every year most tips for security hygiene and staying safe have not changed. We’ve seen them all – use strong passwords, deploy multi-factor authentication (MFA), be vigilant to spot phishing attacks, regularly update software and patch your systems. These are great recommended ongoing tips and are as relevant today as they’ve ever been. But times have changed and these best practices can no longer be the bare minimum. Read Now

  • Boosting Safety and Efficiency

    Boosting Safety and Efficiency

    In alignment with the state of Mississippi’s mission of “Empowering Mississippi citizens to stay connected and engaged with their government,” Salient's CompleteView VMS is being installed throughout more than 150 state boards, commissions and agencies in order to ensure safety for thousands of constituents who access state services daily. Read Now

  • Live From GSX: Post-Show Review

    Live From GSX: Post-Show Review

    This year’s Live From GSX program was a rousing success! Again, we’d like to thank our partners, and IPVideo, for working with us and letting us broadcast their solutions to the industry. You can follow our Live From GSX 2023 page to keep up with post-show developments and announcements. And if you’re interested in working with us in 2024, please don’t hesitate to ask about our Live From programs for ISC West in March or next year’s GSX. Read Now

    • Industry Events
    • GSX

Featured Cybersecurity


New Products

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions. 3

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.” 3

  • XS4 Original+

    XS4 Original+

    The SALTO XS4 Original+ design is based on the same proven housing and mechanical mechanisms of the XS4 Original. The XS4 Original+, however, is embedded with SALTO’s BLUEnet real-time functionality and SVN-Flex capability that enables SALTO stand-alone smart XS4 Original+ locks to update user credentials directly at the door. Compatible with the array of SALTO platform solutions including SALTO Space data-on-card, SALTO KS Keys as a Service cloud-based access solution, and SALTO’s JustIn Mobile technology for digital keys. The XS4 Original+ also includes RFID Mifare DESFire, Bluetooth LE and NFC technology functionality. 3