The internet is cheap, wireless, and it’s everywhere. For most people, it’s hard to imagine even going a day without their mobile device. With the rise and growing popularity of smartphones and tablets, the 'bring your own device' (BYOD) phenomenon has evolved from hype to something that is actively affecting small and large businesses across the board.
Despite its benefits, BYOD can be a major concern for security if adequate policies are not in place. The first step in preparing for BYOD is to know who is accessing your network and your data. This seems obvious but needs to be said.
Regularly review what accounts are active for your email service, your VPN, intranet applications with their own user databases, and so on. Are there any accounts active for anyone that shouldn’t have access (former employees or contractors, for example)? Are there any accounts with unusual activity such as a high number of unsuccessful logins? Do you have any open access to business data that does not require any authentication?
This is not necessarily specific to mobile devices – you should already be aware of all the openings on your network. This includes anywhere that someone may obtain access to corporate data, and you should be monitoring the access made by any type of endpoint. For a deeper look into keeping your network secure, check out the CCNA certification course (Cisco Certified Network Administrator) at the Intense School.
The next step is to know what data can be accessed remotely. Some information your company keeps that employees use for their job is not at risk of loss because it has no special value that would be compromised in the hands of outsiders. Other information is extremely valuable and must be guarded carefully.
It is helpful to prioritise the relative risk of the data that can be accessed through each portal to the outside world. Obviously, you’ll want to put more effort into controlling access to those places that have the most sensitive data and may want to put less effort, or even no effort, toward controlling access to places with low-risk data.
You should be aware of how employee devices are configured. Mobile devices are of particular concern when it comes to corporate data because of their high susceptibility to physical loss. Any data that the employee needs access to in order to do their job is a liability if a device falls into someone else’s hands. In addition to the risk of their form factor, there is additional risk of data loss through electronic means. Vulnerabilities exist in all of the popular mobile device platforms.
The most immediate and effective line of defense is to minimally ensure that each device that is used to access your network is properly configured to reduce the risk of data loss from that device.
The most basic way to ensure that employees are safely configuring their devices would be to give them verbal or written instructions on how to do this and expect adherence to the policies. The best approach, however, is to use a tool that can automatically report a device’s configuration and help or force employees to keep them securely set.
The best of these tools should give you good insight into how employee devices are configured and where they deviate from the policies you’ve set for proper configuration. They should also aid in bringing employee devices in line with your desired configuration – either by guiding the employees to properly set their configuration, or by setting it for them.
The tools most commonly recommended today are MDM (Mobile Device Management) tools. However, MDM tools are a somewhat heavyweight solution and might be more than what is needed for a lot of smaller organisations.
There is an alternate approach that may be more suited to BYOD because it does not take control of the employee’s device. This new class of tools provides Mobile Device Auditing, which reports on current device configurations, but does not take complete control of the device. These tools may be a more lightweight approach to getting a handle on BYOD devices and may be more popular with your employees.
Clear communication with employees is key. It’s important that employees using BYOD are told clearly what type of monitoring and/or control of their devices is being employed. For example:
• What data is being monitored?
• What settings may be automatically modified?
• How will information about their devices be used by the company?
• What is the data retention period?
If you are auditing or controlling employee devices in any way, you will likely need to have a written agreement that clearly spells out what information you are able to view or modify on their device.
It is also important that employees are aware of what their responsibilities are. For example:
• Keeping the device’s security configured;
• Immediately reporting any suspicious activity;
• Immediately reporting if the device is lost or a data breach is suspected;
• Ensure that any agent used for company auditing is kept in working order; and so on.
Remember that BYOD devices, even though they are used for accessing your business’ data, still belong to the employee and you should not compromise the privacy of the user’s device. It is important to strike a balance that meets the needs of both parties.
You need a way of being reassured that the device is configured and used in a secure way that reduces the risk of loss of your company’s information. They need to be able to use the device for their personal use in any way that doesn’t directly compromise the security of business data.
Employees will be much happier if they know that their employer does not have access to information and content that they don’t have a valid need to access (be it GPS locations, text messages, personal email, and so on)
Note that most MDM systems will take control of the device. In order for them to know the current configuration state, they push changes to the device to set the configuration as dictated by the security policy. This may result in pushback from employees who are willing to let employers monitor the basic configuration settings but do not want modifications to be forced on their device. If you are at all concerned about this, look into using a Mobile Device Auditing tool rather than a traditional MDM system.
You should have a plan for how to handle any data breach. The best approach to reducing the risk of data loss is to realise that you are looking to reduce risk, not eliminate it entirely. It would be cost prohibitive, not to mention impossible, to completely eliminate the risk of any data breach whatsoever. The tips above are structured around identifying where risk is the greatest and putting the most effort towards those areas with the most risk.
Since your risk is reduced and not entirely eliminated, you do need to be prepared for what to do if there is a data breach. Think about who should be notified, what immediate configuration changes should be made to affected systems, what forensic activities you might be able to undertake, etc. Create a written plan so you can follow your plan effectively during what might be a stressful time.
But the stress should not be too overwhelming, because by preparing properly you should be able to reduce the risk of the most costly situations as much as possible.
It is important that your level of BYOD security be reassessed periodically; you should audit regularly. Your IT systems are sure to change over time and it is important to keep your processes and tools up-to-date with the current state of your business information systems.
You should also plan for eventually having to prove compliance with your policies. You may already be doing this for your traditional server and desktop endpoints. You may be required to report to an outside authority on compliance with a regulation or standard such as PCI or, in the US, Sarbanes Oxley. You may also need to report internally to your own company’s auditors that want to ensure a certain level of diligence around IT security.
This activity will inevitably extend to cover mobile devices the way it is currently used for traditional systems. It is only a matter of time before regulations are extended to insist on controls over access to your network from mobile devices.
Putting in place the types of procedures mentioned here will require planning, effort, and resource expenditure but you will enjoy a happier workforce and greater piece of mind for your efforts. Your company’s executives will be happy that you have systematically reduced the risk of damaging data loss, and your employees will be thrilled that you are working with them to be as productive as possible rather than having them feel that you are an impediment to their success.
Jon Fox is a security researcher for the InfoSec Institute and has over 20 years of experience designing and developing enterprise software solutions. He is particularly familiar with IT-GRC, compliance, risk management, intrusion detection and prevention, as well as the internals of Windows, UNIX, and Android.