Managing the Risks
BYOD: Bring Your Own Defense
- By Fraser Thomas
- Nov 03, 2014
The impact of flexibility when working
through BYOD on businesses, where an employee
is able to access the corporate network
anywhere, anytime, has brought many
benefits—increased productivity, less wasted
time on travel and saving on overhead.
Such a rapid cultural shift in traditional working practices, as
witnessed by organizations across the country, has left many
vulnerable and, in some cases, dangerously unaware.
The fact is that any employee using a personal mobile device
to access corporate data represents a potential compromise to
corporate security. Dimension Data recently reported that 82 percent
of global organizations have embraced BYOD, but less than
half have established an accompanying security policy. With the
Ponemon Institute’s “2014 Cost of a Data Breach” study revealing
that the average total cost of a company data breach is $3.5
million—a rise of 15 percent compared to the 2013 study—it is
essential that businesses take control of BYOD today, before it
has control over them.
Main BYOD Security Issues
Companies must become educated about the security issues surrounding
BYOD as well as take inventory of their employees’
BYOD practices. This way, effective policies and procedures can
be created to define proper security around all aspects of BYOD.
Therefore, companies should analyze the following issues in
terms of their work culture:
Who exactly is accessing the network? More than 90 percent of
workers in the United States are using their personal smartphones
for work purposes. In turn, companies are finding it increasingly
difficult to keep tabs on all these devices that are seeking access
to their networks, and when and how employees are accessing
corporate data. With almost 60 percent of U.S. employees admitting that they are not concerned about the
security of their workplace systems, how
can businesses trust that their data is safe?
If you build a new door, strangers will
come knocking: The provision of any wireless
gateway into the corporate network
invites connections from outside, beyond
the control and protection of the secure,
fixed network perimeter. Therefore, this
point of entry is exposed to all manner of
network villains from viruses and Trojans
in popular circulation to the targeted attention
of cybercriminals, not to mention
the failings of an absent-minded employee
who may leave his or her device in the coffee
shop or on the train. Multiply these
threats by the number of devices that have
access to a corporate network and the
risks start to become clear.
The popularity of consumer-driven devices:
By definition, BYOD favors popular,
consumer-led devices, most of which
are not built with enterprise-class network
security in mind. The default, out-of-thebox
intruder prevention settings on these
devices do not meet today’s business requirements,
regardless of whether the intruder
is trying to hack-in remotely or has
the targeted device in their possession. Additionally,
most consumers opt for mobile
device settings which favor convenience
over security. Even though many mobile
handset manufacturers are wising up to
the needs of the enterprise, most still have
a long way to go before they can claim to
be watertight.
A network is only as strong as its weakest
link: Recent statistics reveal that 44.2
percent of Americans log-in to their corporate
systems remotely via a username and
password (UNP). Considered alongside the
admission that one in five U.S. employees
reuse the same password across personal
and corporate systems, the alarm bells
should already be ringing. Under such circumstances,
it may only take one employee’s
personal password to be hacked for
unauthorized network access to be gained,
compromising the entire network and all of
the sensitive data held within.
With almost-weekly headlines of largescale
data breaches across the United
States and the rest of the world, the same
passwords used to access your network
could be sitting in a hacker’s stockpile, just
waiting to be used. Threats to passwordprotected
networks are only heightened by
the sheer number of access points afforded
by a BYOD culture.
Usability of apps: The demand for fast
and convenient access to network data has
led to a rise in the use of mobile apps as an
alternative to web browsers. Popular email
and business cloud platforms can be easily
accessed by a mobile app, which does not
require any authentication.
It is quite shocking to know that once
“active sync” is enabled on a business
owner’s tablet, for example, he or she can
have instant access to corporate data via
their unmanaged device. The same goes
for employees, too. Once the email settings
have been configured and access details
shared, anyone can access their email from
any device, as can anyone else who knows
the settings or gets their hands on one of
those devices.
Also, popular with today’s workers are
personal cloud applications, like Dropbox,
that offer a simple and user-friendly solution
for employees to keep whatever they’re
working on within easy reach. These apps
are password protected and easily accessed
from a mobile device, enabling files
to be quickly shared between users. For
data loss, however, these apps could be
catastrophic. When a file is shared, control
over the content is automatically lost and
it can be freely shared with others. What’s
more, you do not receive any notification
that this has happened.
Next Steps in
BYOD Security
Sixty-seven percent of people use personal
devices at work, regardless of the office’s
official BYOD policy. Business owners
and IT decision makers must accept that if
employee demands for convenience go unmet,
many will find their own independent
ways of accessing corporate data, often
without due consideration to network security.
Businesses should take full ownership
and control of the protection of their
corporate data, but it must to be done in a
way that their employees can handle.
It goes without saying, then, that workers
should be governed by a BYOD policy.
An effective internal policy should include:
- A comprehensive review of internal
user access policies;
- a clear charter clarifying what data
can and cannot be accessed from a
mobile device;
- guidance on how to change and manage
device security settings; and
- the introduction of a strong authentication
method that goes beyond UNPs.
Workable BYOD needs to have boundaries.
In today’s web-centric world, a user’s authentication
is largely dictated by their Facebook
experience, where access to an account
is instantaneous, providing you have loggedin
once on a particular device. Employees
expect to have the same immediate access in
the corporate world, as well, and be able access
whatever they want, when they need it.
Data is the most valuable thing a company
owns, but the importance of the data
held in a corporate system varies. A sensible
approach to BYOD and remote access
authentication therefore should begin with
a clear division between business-critical
and less-important data. Organizations
can define the access control parameters
that work the best for their business structure
by keeping the gateways to certain information
accessible only to those with the
right permissions.
Such an approach goes some way in
resolving the nonchalant attitudes of employees
to workplace security. Instead of
simply tapping a mobile app or inputting
a familiar UNP, something they offer up
multiple times a day without thought, an
individual will be required to stop and consider
the action they are about to undertake
and, as a result, the risk factor associated
with it. The use of authentication signals to
the user that they are shifting from a lowrisk
to a high-risk environment.
All of this can be achieved by turning
an employee’s personal device into a virtual
token connected to a dedicated, multifactor
authentication platform so that the
credentials of every individual trying to
connect can be verified and the appropriate
level of access granted. Because it puts
the user right at the heart of the authentication
process, they remain both engaged
and informed. This will go a long way to
appease the reservations of a cloud-fearing
board of directors.
Requiring users to engage with stronger
authentication models, based on a risk-accessed
protocol, via their own devices will
drive familiarity and, more importantly,
considered actions from employees.
This article originally appeared in the November 2014 issue of Security Today.