Managing the Risks - BYOD: Bring Your Own Device

Managing the Risks

BYOD: Bring Your Own Defense

  • By Fraser Thomas
  • Nov 03, 2014

The impact of flexibility when working through BYOD on businesses, where an employee is able to access the corporate network anywhere, anytime, has brought many benefits—increased productivity, less wasted time on travel and saving on overhead. Such a rapid cultural shift in traditional working practices, as witnessed by organizations across the country, has left many vulnerable and, in some cases, dangerously unaware.

The fact is that any employee using a personal mobile device to access corporate data represents a potential compromise to corporate security. Dimension Data recently reported that 82 percent of global organizations have embraced BYOD, but less than half have established an accompanying security policy. With the Ponemon Institute’s “2014 Cost of a Data Breach” study revealing that the average total cost of a company data breach is $3.5 million—a rise of 15 percent compared to the 2013 study—it is essential that businesses take control of BYOD today, before it has control over them.

Main BYOD Security Issues

Companies must become educated about the security issues surrounding BYOD as well as take inventory of their employees’ BYOD practices. This way, effective policies and procedures can be created to define proper security around all aspects of BYOD. Therefore, companies should analyze the following issues in terms of their work culture:

Who exactly is accessing the network? More than 90 percent of workers in the United States are using their personal smartphones for work purposes. In turn, companies are finding it increasingly difficult to keep tabs on all these devices that are seeking access to their networks, and when and how employees are accessing corporate data. With almost 60 percent of U.S. employees admitting that they are not concerned about the security of their workplace systems, how can businesses trust that their data is safe?

If you build a new door, strangers will come knocking: The provision of any wireless gateway into the corporate network invites connections from outside, beyond the control and protection of the secure, fixed network perimeter. Therefore, this point of entry is exposed to all manner of network villains from viruses and Trojans in popular circulation to the targeted attention of cybercriminals, not to mention the failings of an absent-minded employee who may leave his or her device in the coffee shop or on the train. Multiply these threats by the number of devices that have access to a corporate network and the risks start to become clear.

The popularity of consumer-driven devices: By definition, BYOD favors popular, consumer-led devices, most of which are not built with enterprise-class network security in mind. The default, out-of-thebox intruder prevention settings on these devices do not meet today’s business requirements, regardless of whether the intruder is trying to hack-in remotely or has the targeted device in their possession. Additionally, most consumers opt for mobile device settings which favor convenience over security. Even though many mobile handset manufacturers are wising up to the needs of the enterprise, most still have a long way to go before they can claim to be watertight.

A network is only as strong as its weakest link: Recent statistics reveal that 44.2 percent of Americans log-in to their corporate systems remotely via a username and password (UNP). Considered alongside the admission that one in five U.S. employees reuse the same password across personal and corporate systems, the alarm bells should already be ringing. Under such circumstances, it may only take one employee’s personal password to be hacked for unauthorized network access to be gained, compromising the entire network and all of the sensitive data held within.

With almost-weekly headlines of largescale data breaches across the United States and the rest of the world, the same passwords used to access your network could be sitting in a hacker’s stockpile, just waiting to be used. Threats to passwordprotected networks are only heightened by the sheer number of access points afforded by a BYOD culture.

Usability of apps: The demand for fast and convenient access to network data has led to a rise in the use of mobile apps as an alternative to web browsers. Popular email and business cloud platforms can be easily accessed by a mobile app, which does not require any authentication. It is quite shocking to know that once “active sync” is enabled on a business owner’s tablet, for example, he or she can have instant access to corporate data via their unmanaged device. The same goes for employees, too. Once the email settings have been configured and access details shared, anyone can access their email from any device, as can anyone else who knows the settings or gets their hands on one of those devices.

Also, popular with today’s workers are personal cloud applications, like Dropbox, that offer a simple and user-friendly solution for employees to keep whatever they’re working on within easy reach. These apps are password protected and easily accessed from a mobile device, enabling files to be quickly shared between users. For data loss, however, these apps could be catastrophic. When a file is shared, control over the content is automatically lost and it can be freely shared with others. What’s more, you do not receive any notification that this has happened.

Next Steps in BYOD Security

Sixty-seven percent of people use personal devices at work, regardless of the office’s official BYOD policy. Business owners and IT decision makers must accept that if employee demands for convenience go unmet, many will find their own independent ways of accessing corporate data, often without due consideration to network security. Businesses should take full ownership and control of the protection of their corporate data, but it must to be done in a way that their employees can handle.

It goes without saying, then, that workers should be governed by a BYOD policy. An effective internal policy should include:

  • A comprehensive review of internal user access policies;
  • a clear charter clarifying what data can and cannot be accessed from a mobile device;
  • guidance on how to change and manage device security settings; and
  • the introduction of a strong authentication method that goes beyond UNPs.

Workable BYOD needs to have boundaries. In today’s web-centric world, a user’s authentication is largely dictated by their Facebook experience, where access to an account is instantaneous, providing you have loggedin once on a particular device. Employees expect to have the same immediate access in the corporate world, as well, and be able access whatever they want, when they need it.

Data is the most valuable thing a company owns, but the importance of the data held in a corporate system varies. A sensible approach to BYOD and remote access authentication therefore should begin with a clear division between business-critical and less-important data. Organizations can define the access control parameters that work the best for their business structure by keeping the gateways to certain information accessible only to those with the right permissions.

Such an approach goes some way in resolving the nonchalant attitudes of employees to workplace security. Instead of simply tapping a mobile app or inputting a familiar UNP, something they offer up multiple times a day without thought, an individual will be required to stop and consider the action they are about to undertake and, as a result, the risk factor associated with it. The use of authentication signals to the user that they are shifting from a lowrisk to a high-risk environment. All of this can be achieved by turning an employee’s personal device into a virtual token connected to a dedicated, multifactor authentication platform so that the credentials of every individual trying to connect can be verified and the appropriate level of access granted. Because it puts the user right at the heart of the authentication process, they remain both engaged and informed. This will go a long way to appease the reservations of a cloud-fearing board of directors.

Requiring users to engage with stronger authentication models, based on a risk-accessed protocol, via their own devices will drive familiarity and, more importantly, considered actions from employees.

This article originally appeared in the November 2014 issue of Security Today.

Featured

  • 2025 Security LeadHER Conference Program Announced

    ASIS International and the Security Industry Association (SIA) – the leading membership associations for the security industry – have announced details for the 2025 Security LeadHER conference, a special event dedicated to advancing, connecting and empowering women in the security profession. The third annual Security LeadHER conference will be held Monday, June 9 – Tuesday, June 10, 2025, at the Detroit Marriott Renaissance Center in Detroit, Michigan. This carefully crafted program represents a comprehensive professional development opportunity for women in security this year. To view the full lineup at this year’s event, please visit securityleadher.org. Read Now

    • Industry Events

  • Report: 82 Percent of Phishing Emails Used AI

    KnowBe4, the world-renowned cybersecurity platform that comprehensively addresses human risk management, today launched its Phishing Threat Trend Report, detailing key trends, new data, and threat intelligence insights surrounding phishing threats targeting organizations at the start of 2025. Read Now

  • NRF Supports Federal Bill to Thwart Retail Crime

    The National Retail Federation recently announced its support for the Combating Organized Retail Crime Act of 2025. The act was introduced by Chairman Chuck Grassley, R-Iowa, Senator Catherine Cortez Masto, D-Nev., and Representative Dave Joyce, R-Ohio. Read Now

  • ISC West 2025 Brings Almost 29,000 Industry Professionals to Las Vegas

    ISC West 2025, organized by RX and in collaboration with the Security Industry Association, concluded at the Venetian Expo in Las Vegas last week. The nation’s leading comprehensive and converged security event attracted nearly 29,000 industry professionals and left a lasting impression on the global security community. Over five action-packed days, ISC West welcomed more than 19,000 attendees and featured 750 exhibiting brands. Read Now

    • Industry Events
    • ISC West

  • Tradeshow Work Can Be Fun

    While at ISC West last week, I ran into numerous friends and associates all of which was a pleasant experience. The first question always seemed to be, “How many does this make for you?” Read Now

    • Industry Events
    • ISC West
Most   Popular

New Products

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure.

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities

  • QCS7230 System-on-Chip (SoC)

    QCS7230 System-on-Chip (SoC)

    The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge.