Bring-your-own-device (BYOD) programs experienced significant popularity in 2016. LinkedIn's Information Security Group, and Crowd Research Partner's 2016 BYOD & Mobile Security study found that cost isn't always the biggest motivator behind BYOD adoption, with security leaders citing the following motivations:
- Increased employee mobility (63 percent),
- Employee satisfaction (56 percent)
- Productivity (55 percent)
Despite the benefits, over one-third of security pros admit that their company's BYOD program imposes a major burden on their security resources, according to the same study.
Mitigating BYOD Security Risks
At many organizations, BYOD is a decision that's made for many reasons that have nothing to do with security. If you're at the helm of a program that allows, or is considering allowing, employees to use personal devices for work, you're probably concerned about the security risks. In this blog, you'll learn the difference between hype and reality in regards to current BYOD security fears and how to protect your organization.
1. Data Leakage
Regardless of whether your employees need to access their corporate email or protected payroll information via mobile, data leakage is a possibility when personal devices come into play. Data can be lost or exposed when devices are misplaced or stolen, or if a personally-owned device has malware on it. While cloud technology has mitigated most data loss due to device damage, security barriers and backups are crucial to a healthy BYOD program.
Ways to prevent data leakage include:
- Mobile device management: In case of loss or theft, an MDM program can enable IT to remotely "wipe" a device to ensure sensitive information is not exposed.
- Smarter data provisioning: Minimum necessary access is the smartest way to limit exposure. Role-based provisioning is optimal for security.
- The use of app segregation and/or a VPN: Segregation and VPNs prevent sensitive data from being leaked via sketchy public wireless hotspots, and can create barriers between personal and work content on a personal device.
- File integrity monitoring: Agent-based file integrity monitoring software that operates at the kernel level can notify IT the moment malware gains access to a device, allowing you to take action before it impacts your network.
2. Sketchy Apps
Not all personal apps are what they appear to be, or have any business being on your end users' mobile devices. Back in July, you may remember the Pokemon Go craze, and the large quantity of fake and malicious apps. TechCrunch reports that some of the confirmed malicious apps included titles such as "Pokémon Go Ultimate," "Guide & Cheats for Pokémon GO,” and “Install Pokémongo," in order to appeal to fans of the game.
In some cases, malicious apps have the potential to take control over the user's mobile device. This can result in surveillance, unexpected data or call charges, or loss of personal or work information. Your users need training on app best practices. This knowledge-based training should include the importance of only downloading content from apps stores. In many cases, malicious mirror or personal apps are downloaded through webpages.
3. A Lack of Management
With any mobile device, employee or company-owned, there are risks associated with a loss of control. When an endpoint walks out of your company's building, it can be difficult to control whether it's used on questionable free wireless connections or whether it will be misplaced and stolen.
Protecting mobile and laptop endpoints from exposure requires IT pros to focus on a mix of device security, layered protecting, and smarter provisioning.
- Mobile device management: MDM allows employees to remotely control the content and security of an employee's device. When coupled with file integrity monitoring, IT pros can establish an optimal level of control.
- Enterprise Apps Stores: Providing employees with easy access to the right apps approved for business use can mitigate the risks of "shadow IT," or employees using apps outside approval or your VPN.
- Single Sign-On: A password-protected lock screen is likely not enough protection for endpoints. By segregating and protecting your mobile apps via a single sign-on (SSO) requirement, IT pros can enable smart user authentication without disrupting productivity.
4. Device Infection
The vast majority of users with an infected smartphone don't know their device is carrying malware. Even more concerning, feelings of "app fatigue," or excess exposure to mobile content, can make users careless about mobile security. They may not read the terms of service on new apps or think twice before granting excessive permissions when downloading new content.
Outdated mobile operating systems can be a major risk factor, with some of the most vicious forms of malware primarily affecting outdated OSs. With any BYOD program, IT pros should ensure that mobile OSs are kept up to date. Even new OSs have vulnerabilities, so it's also crucial to use file integrity monitoring to immediately detect and act on device infection.
5. Poor Policies
It may be possible to attempt a BYOD program without effective security policies in place, but it's certainly risky. If your organization is required to comply with PCI DSS, HIPAA, or any other regulatory requirements, effective policy is necessary to avoid fines.
With a combination of written policy and policy-based administration, IT pros should address each of the following:
- Passwords, lock screens, and single sign-on
- Network connectivity
- Required use of a VPN
- Real-time updates and patching
- Location tracking
- Mobile device management
6. Mixing Personal and Business Use
With BYOD, mixing business and personal use is inevitable. You can't control whether your employees decide to shop online at compromised websites or whether they will misplace a device. While you can educate heavily on security best practices, you can't guarantee that your employees won't loan their device to a friend or use public wireless connections to save data.
Security teams should plan to control for personal use, including times when employees don't follow best practices. The smartest methods of protection against employee behavior likely include:
- App segregation: Creating a strong barrier between personal and private use on the device can prevent accidental access to work data.
- Use of a VPN: A VPN can protect communications from interception, even if employees are trying to use a coffee shop's wireless network.
- File integrity monitoring: IT pros can gain access to negative changes to critical system files or security, allowing them to act immediately.
7. Inability to Control Devices
What if an employee leaves the organization or loses their mobile device? In many BYOD programs, the majority of the security stress comes from a lack of control around devices. Employees are not always careful, and disgruntled staff can do a lot of damage with too much access.
Mobile device management and smarter access governance are important. If an employee is terminated or begins exhibiting questionable behaviors, policy should support your ability to immediately revoke access to sensitive data before it's leaked.
Is BYOD Security Possible?
Bring-your-own-device security isn't simple.
Yes, it's much easier to exert control over company-owned mobile devices, especially if your employees are all using a uniform model and operating system. However, BYOD security is possible with the right tools to assess security and detect compromise.
In addition to best technical practices like use of a VPN, an SSO, and an MDM, security teams need tools for assessing device integrity, especially as new employee-owned devices are brought onto your company's network. Mobile has some inherent risks, but allowing an employee to use a jailbroken device for work can mean that built-in security measures are effectively null.
Your organization needs the ability to monitor employee-owned devices at the device level from the moment they're provided with access to your company data and every minute of the time they're used for work or personal activities off-site.
CimTrak Enables Total Compliance and Security
CimTrak is a solution for total compliance and security, even within complex situations that BYOD policies can create. Your employees need mobile access 24/7. With agent-based file integrity monitoring, CimTrak enables security administrators to access real-time alerts about negative changes at the device level in real-time. With one easy-to-use tool, you can enable integrity monitoring, the full ability to remediate negative changes, and auditing capabilities.
To learn more, download our FIM guide today.
February 16, 2017