Since the onset on Covid, organizations – irrespective of their size – have become exponentially more vulnerable to cyber threats. Our ever-increasing reliance on technology, networks, software, and even social media, can inadvertently invite cyber attacks; resulting in a catastrophic loss of business and personal data. So, what’s the biggest threat to your cyber security? You and the people you work with.
You may think we’re talking about disgruntled employees – which can certainly be the case – but, more commonly, it’s you and your trustworthy coworkers. Owners and employees who haven’t been trained to identify the ever-changing cyber threats, or to take precautions related to cyber security.
But, it’s not just people who are the threat anymore, it’s also their devices. In the past, business owners had much more control over the technology, networks and software they provided. Now, most, if not all, remote workers aren’t just operating on a single, dedicated business computer that stays in the office and runs exclusively on your secure network.
They own multiple devices – most of which are mobile – and they are connecting to new networks, downloading new software, and browsing new internet sites, now more than ever. Then… they connect back into your business network, unwittingly delivering cyber threats that WILL wreak havoc on your data, your reputation and, ultimately, your business.
Let’s dive a little deeper..
In excerpts of an article by Hysolate, they wrote…
What is BYOD Security?
“Bring your own device (BYOD) means that employees use personal devices to connect to an organization’s network, accessing work-related systems and possibly, sensitive data. Personal devices may include smartphones, personal computers, tablets or USB drives.
According to several studies, well over 50% of organizations and over 70% of employees use personal devices at work, and these numbers are rapidly growing. This means BYOD security is top of mind for IT and security leadership.
Personal devices are more likely to be used to break into corporate networks, whether or not they are approved by IT, because they are less secured and more likely to contain security vulnerabilities compared to corporate devices. Therefore, it is critical to understand and address BYOD security for organizations of all sizes.
BYOD Security Risks – The three most severe risks affecting BYOD devices
Data Leakage and Loss
When employees use personal devices at work, any access to the corporate network can pose a risk—whether the employee is performing routine activities like logging into a work email account, or more sensitive activities such as viewing financial or HR records.
Attackers can gain access to a lost or stolen device, or compromise a device via phishing or malware while it is still owned by the employee. At that point, attackers have three main options to do damage:
- Steal data stored locally on the device
- Use credentials stored on the device to access the corporate network
- Destroy data on the device
The second option is especially dangerous, because a compromised account can initially appear to be a legitimate user accessing corporate systems.
The third option can be mitigated by cloud backup systems, but these must be setup carefully or they can also become an attack vector.
Device Infection
Smartphones are commonly infected by malware, and in most cases, smartphone users are not aware their phone is infected. What’s even more worrying is that, because mobile users install a large number of applications and may use them only occasionally, they may be careless about terms of service or permissions they grant to new applications.
On desktop or laptop computers, operating system vulnerabilities pose the biggest risk. Most users are not diligent about updating their operating system with the latest security patches. A first priority in any BYOD program is to identify the current OS running on employee devices, and ensuring they apply the latest updates.
Lastly, antivirus software is used unevenly by users on their personal devices. Some devices may not be protected at all, and others may be protected by free or unknown antivirus programs of questionable effectiveness
Mixing Personal and Business Use
With BYOD, it is inevitable that employees will perform both work and personal tasks on the same device. Your organization won’t have control over websites visited by employees, some of which may be malicious or compromised, or install questionable applications. Devices may be used by the employee’s children or other members of their household, and may be used to connect to unsecured wireless networks—the list of potential threats is endless.
Security Measures for BYOD Security
Given the major risks posed by BYOD devices, here are a few basic measures organizations can take to improve security on these devices.
Application Control
Some devices and operating systems provide control over the applications installed on a device. For example:
- iOS devices can block access to the Apple App Store
- Android Enterprise makes it possible to customize Google Play to show only approved applications
However, applying such restrictions on applications on a user’s personal device is not practical. Employees are likely to resist these types of measures, and expect that they should be able to freely use their personal device when off work.
Containerization
Containerization is a way to divide each part of a device into its own protected environment, each with a different password, security policies, applications and data. This can allow employees to use the device without restrictions, while preventing security risks to the corporate network.
When a user logs in to a containerized work environment, they cannot access their personal applications and other features that the container does not manage. Containerization is a powerful solution that, on the one hand, prevents employees from using unapproved applications while connected to corporate systems, and on the other hand, does not restrict employees from free use of their personal device.
Android Enterprise makes it possible to set up separate, containerized environments for work and personal applications. This gives organizations full control over the work environment, without encroaching on the employee’s free use of their personal applications.
Cyber criminals that breach the general workspace are completely contained within it and cannot laterally move to the other protected environment. They cannot reach the host or privileged OS, and they can’t even see that it exists.
Encrypting Data at Rest and in Transit
BYOD causes sensitive data to be retrieved and viewed on systems outside an organization’s control. Therefore, it is crucial to encrypt data at rest and in transit. Encryption allows you to protect the content of sensitive files even in the worst case of device theft or compromise.
In practice, encrypting all data transmitted to employee devices can be challenging. Security and operations teams must take into account all scenarios in which a user downloads or saves a file on the local computer, such as downloading email attachments or retrieving files from corporate cloud storage. In all these cases, software on the BYOD device must ensure the data is encrypted.
Another concern is that encryption can slow down day-to-day operations, hurt productivity and frustrate users. In addition, any malfunction in the encryption process can block users out of critical files they need to do their jobs.
BYOD Security Best Practices
Educate Employees
Define a BYOD security policy, and even more importantly, take the time to educate users about it. Users should clearly understand what they can and cannot do on their personal devices, why the security measures are important, and what are the consequences of violating the policy.
Employees should undergo mandatory security training. A primary goal of employee education is to explain that security threats are a danger to the organization and to the employees themselves, and that by following the policy, they are improving safety for themselves, their colleagues, and helping to prevent catastrophic data breaches that can threaten the organization.
Separate Personal and Business Data
When employees use a device for business activities, a primary concern is privacy. A device can contain sensitive personal files or information, which the employee does not want to share with their workplace. At the same time, sensitive business data stored on the device must be protected and accessible only to the employee. Whether containerization solutions are used or not, the BYOD policy should clearly state how to separate personal and business information and prevent unwanted exposure.
Have a Solution in Place for Lost Devices
If a device is lost or stolen, employees must immediately report it to their manager or IT department. IT needs to be prepared for the necessary actions such as remote device lock, data wipe, password reset, and auto-wipe for critical applications. The protocol for device loss or theft should be clearly defined in the BYOD policy and employees should be fully aware of it.
Ensure Secure Network Connectivity
If an employee is connected to the Internet or public Wi-Fi, attackers can eavesdrop on business activities. Encourage employees to connect their equipment to a secure network, not just in the office, but also on the go. In any event, they should only connect to the corporate network via a secured, encrypted virtual private network (VPN).”
Great overview, right? Now, let’s dig a little deeper.
(LOVE this next writer!)
In excerpts of an article by Digital Guardian, they wrote, “Employers have two options: either embrace BYOD by enacting BYOD policies and security measures to make the practice a safer one, or prohibit BYOD entirely and find a way to enforce it. For most companies, it makes sense to embrace the BYOD trend and capitalize on the benefits it offers, such as increased employee productivity and greater employee satisfaction through better work-life balance, while implementing security measures that mitigate the risks involved.
STAKEHOLDER AND EMPLOYEE BUY-IN
To adapt to the growing use of BYOD among enterprises and SMBs, many companies may be inclined to jump immediately to policy creation, but that approach is often met with friction. The first step, before working on policy, is to gain both stakeholder and employee buy-in.
Stakeholders will be essential to the policy planning process, providing a variety of perspectives from various departments and interests within the organization. Executives, human resources, finance, IT operations, and the security team should be represented within a BYOD project management team and can each contribute to policy development.
In addition to these stakeholders, employee input is essential for creating effective BYOD policies. Blindly creating policies based solely on the company’s interests can backfire. Policies that are too restrictive or fail to offer support for the right devices will lead to a lack of participation by employees, ultimately wasting the resources the company invested in creating the policies.
An employee survey is an effective way to gain data on the devices employees currently use (and are likely to purchase in the future, as these devices must be supported by your company’s BYOD policy), what employees see as advantages and disadvantages to using their own devices for work purposes, and what applications they perceive as necessary to be able to carry out business tasks on their personal devices. For instance, some employees may have concerns about their own privacy should they use their personal devices for business. Armed with this data, you can begin to craft a BYOD policy that addresses these concerns and encompasses the full range of devices your employees are likely to use.
DEFINING A BYOD SECURITY POLICY
Defining a BYOD security policy is a critical step in maintaining company security when employees are bringing their personal devices to the workplace. TechTarget SearchMobile Computing outlines a few essential elements of a BYOD policy, including:
- Acceptable use: what applications and assets are employees permitted to access from their personal devices?
- Minimum required security controls for devices
- Company-provided components, such as SSL certificates for device authentication
- Company rights for altering the device, such as remote wiping for lost or stolen devices
In an article for CIO, Jonathan Hassell describes a few additional components of effective BYOD policies, such as specifying the permissible device types and establishing a stringent security policy for all devices. For example, consumers may opt not to utilize native security features such as the ability to lock device screens or require passwords because these features create additional steps that inconvenience users. Employees are motivated to make use of these simple features when clear company policies exist, and even simple measures can enhance company security.
Additionally, your BYOD policy should clearly outline a service policy for BYOD devices, including what support is available from IT for employees connecting to the company network, support for applications installed on personal devices, and support for resolving conflicts between personal applications and company applications.
Your BYOD policy should clearly outline the ownership of apps and data, as well as the applications that are permitted or prohibited and reimbursement (e.g., will the company reimburse employees a standard use fee, pay for certain applications, or a portion of monthly bills?). It should also outline security requirements for BYOD devices (e.g., will the company provide a mobile device security application that must be installed on employee devices before they are granted access to company data or will employees be permitted to choose their own security solutions provided they meet criteria outlined by your IT department?).
Employee exits are also an important consideration when outlining your BYOD policy. When an employee leaves the company, what happens to the company data that may be stored on the employee’s device? Defining clear policies that explain the procedures that must be followed when an employee separates from the company, such as the wiping of the employee’s device by IT, should be explained in detail in written policies.
Finally, risks, liabilities, and disclaimers should be disclosed in a written BYOD policy. This includes company liability for an employee’s personal data, should a device have to be wiped for a security precaution, as well as employee liability for the leakage of sensitive company data brought about by employee negligence or misuse.
EXAMPLE ELEMENTS OF A BOYD POLICY
There is a great deal of technology to better secure employee-owned devices. That said, a strong policy and widespread adoption of the policy is vital to ensuring proper (and secure) BYOD use in an organization. While each company is different, there are a number of elements (relatively) universal to most policies.
Password Provisions
For sensitive information, either belonging to the company or its customers, password protections are non-negotiable. Most organizations require strong passwords on mobile devices and computers. Some enact regular password changes every 30 or 90 days, for example. You also may want to consider 2-factor authentication for any applications and programs accessed from employee-owned devices.
Privacy Provisions
Company data belongs to the company, but it happens to be on a privately owned device. Privacy is a big deal, and your BYOD policy needs to address how you protect data while ensuring employees’ privacy. Some companies choose to tell workers to expect no privacy when using personal devices for work purposes.
Data Transfer Provisions
It only takes one person to use a new app with sensitive data for a breach to occur. If someone is using a certain app that’s unapproved to transfer data, and this application is breached, there could be serious legal ramifications. Data should be encrypted, password protected and only transferred on company mandated applications.
Proper Maintenance/Updates
Patches and updates not only provide new features, but also shore up the code from known attacks. Keeping devices and applications up-to-date is a major part of overall digital security and must be included in any company or private device use policy.
Common Sense Provisions
Technology is indifferent, but people have bad habits. Work selfies and short “vlogs” may occur, even when prohibited. And without provisions in your policy, device misuse is sure to occur more often. Other common-sense rules include things like:
- No device use while driving
- Limit personal calls while at work
- Do not take video (except possible in areas like break rooms with coworker permission)
Approved Applications
There are a number of apps used in the workplace. One study found employees use more than five business applications every day. Without a firm list of approved programs, your team may establish their own apps to use. Make sure to include dedicated secure messaging, email, CRM, and other apps and explicitly forbid the use of unapproved programs.
Upon Termination
Leaving company data on a personal device when that person retires, finds work elsewhere, or possibly gets terminated is a bad idea. Even worse is not having a specific set of procedures when this occurs. Upon any termination, an organization is obliged to ensure all data is removed from the device and permissions removed from company applications.
Data Wipe Procedures
The complexity of wiping data from an employee’s phone, tablet, or computer is enough to make some businesses provide all devices to employees. Parsing through multiple email accounts and deleting certain things from apps used for both private and company affairs isn’t easy. It’s for these reasons the steps are clearly laid out in the policy.
Accountability Provisions
A policy with a list of guidelines, yet without clear disciplinary action for failing to abide by those provisions, means your policy has no teeth. Your policy should describe in detail how accountability is tracked, measured, and enforced. Every member of the team should understand not only how devices are to be used but also the consequences of failing to keep company data safe.
EVALUATE YOUR TECHNOLOGY CAPABILITIES
In addition to creating and communicating your BYOD policy, you must ensure that you have the right technology resources at your disposal. An evaluation of your current capabilities will help to identify and fill these gaps to ensure a successful BYOD rollout.
Lack of oversight is one of the most common concerns surrounding BYOD implementation. Companies implementing BYOD policies need to have adequate staff in their IT support departments to help employees get set up and provide ongoing support and monitoring. Not all solutions are compatible with all devices or operating systems. Companies may opt to purchase a software solution with cross-device compatibility, or they may place greater importance on features and offer a different solution for different devices and OS.
Companies should implement measures and procedures for verifying installation of security solutions on all devices accessing company data. They should also create protocols for identifying and enforcing policies related to the evaluation of the risks of various apps and determining which specific applications are deemed safe as well as which applications should be prohibited. Finally, if reimbursement is included in the BYOD policy, budgetary issues should be considered and appropriate resources allocated for this purpose.
CONSIDERING BYOD SECURITY SOLUTIONS
Once your systems and protocols are in place, providing ongoing employee education on the importance of acceptable use as well as basic data security hygiene is critical for BYOD success. Beyond this, the right security solutions can minimize your BYOD risk and enable your policy to run smoothly. There are several elements that should be addressed by an effective BYOD security solution. The ideal solution is one that encompasses several or all of these elements and facilitates a comprehensive mobile security strategy. Below are short descriptions of various security measures which may be used as part of a comprehensive BYOD security program.
ENCRYPTION FOR DATA AT REST AND IN TRANSIT
Because BYOD usage takes data outside of the control of many other enterprise security measures, it is important that organizations encrypt sensitive data at rest and in transit. Encryption ensures that the contents of sensitive files are protected even in a worst-case scenario such as a stolen device or traffic being intercepted over an unsecure network.
Requiring the use of strong passwords offers some protection, but encryption is better. As this article on the InfoSec Institute notes, “To ensure protection, organizations need to implement encryption for the entire duration of the data lifecycle (in-transit and at-rest). And to prevent unauthorized access and maintain the encryption in case of a security breach, the IT department of the concerned organization should take control of encryption keys.”
APPLICATION INSTALLATION CONTROL
There are some controls available with certain devices and operating systems that IT can utilize to exert control over the apps installed on an employee’s device. For instance, Apple iOS devices can be configured to deny access to the App Store, and for Android devices, companies can make use of Android Enterprise for a managed Google Play portal that contains only approved applications (among many other useful features for BYOD).
However, restricting an employee’s ability to download or install applications on their own devices for personal use isn’t a practical solution for most companies. These methods are similar to measures taken for parental control purposes, so naturally, employees are likely to feel as though this is an infringement on their personal freedoms. Most employees have the expectation that they will be able to use their personal devices as they choose when they’re not on the clock, conducting business, or connected to a secured company network, making other solutions more practical for BYOD security. It’s worth noting that Android Enterprise offers a containerized environment to separate work and personal applications and data, which allows companies to have better control over devices used for work purposes without limiting an employee’s personal use of their device. We’ll discuss containerization in more detail below.
MOBILE DEVICE MANAGEMENT
Mobile device management (MDM) solutions offer a balance between total control for employers and total freedom for employees, offering the ability to deploy, secure, and integrate devices into a network and then monitor and manage those devices centrally. The MDM field is still finding its footing and is not without its share of problems. For instance, this article in CIO reports that some enterprises could take advantage of more advanced features available with MDM, creating a less-than-ideal user experience that’s too restrictive and leading employees to resist the enterprise’s BYOD program.
CONTAINERIZATION
Containerization is increasingly being offered in conjunction with (or paired with) MDM solutions. Containerization is a method by which a portion of a device can essentially be segregated into its own protected bubble, protected by a separate password and regulated by a separate set of policies, from the remainder of the applications and content on the device. This allows employees to enjoy full, uninhibited use of their devices on their own time without introducing security risks to the company’s network. When a user is logged into the containerized area, personal apps and other features not managed by the container are inaccessible. Containerization is an appealing solution that doesn’t limit employees’ ability to use their personal devices as they choose, while eliminating the possibility of employees using or accessing apps that don’t meet the company’s security threshold when working.
Containerization limits corporate liability without impacting personal use, but on the downside, it doesn’t protect employees’ personal data on devices that are lost or stolen and must be wiped. This is a challenge that’s easily overcome with proper personal data backup.
BLACKLISTING
Blacklisting is a term that describes the process of blocking or prohibiting specific applications that are determined to pose a risk to enterprise security. Blacklisting is also a method some companies use to restrict employee access to apps that can hinder productivity, such as games or social networking apps. File-sharing services are another category of apps that often find themselves on blacklists, as companies fear that sensitive information could be shared with unauthorized third parties, either intentionally or inadvertently, by employees.
While it can be effective by limiting access to applications that don’t meet your company’s security criteria, blacklisting is not often used for BYOD, as the process means controlling access to applications on employees’ personal devices both during work and during off-hours. Naturally, this poses an issue for some employees who enjoy playing Pokémon GO when they’re not at work.
WHITELISTING
Whitelisting is simply the opposite of blacklisting. Instead of blocking access to a list of specific applications, whitelisting allows access only to a list of approved applications. It’s often considered a more effective process simply because of the sheer number of applications and websites that exist. Waiting until an employee has downloaded an app and used it to transmit data to determine that it poses a security risk is sometimes too little, too late.
Whitelisting circumvents this issue by simply not allowing access to anything unless it has been pre-approved as safe by IT. Of course, like blacklisting, this can create problems for BYOD by blocking employees’ access to apps that they might want to use when they’re not at work.
OTHER BYOD SECURITY MEASURES
There are a variety of other security measures that are sometimes used as part of a comprehensive BYOD security program. Antivirus software installed on individual devices, for instance, is often a staple of such security programs. Companies may purchase a volume license and install software on BYOD devices or simply require employees to install their own and verify with IT that their devices are protected. With more malware targeting mobile devices, the risk of such a malicious program impacting the company network by way of an employee’s personal device is very real.
Monitoring is another component sometimes used as part of a BYOD security program, albeit with mixed opinions. IT could implement systems that monitor the GPS location of employee devices, or Internet traffic on individual devices. While these monitoring systems can prove beneficial for detecting unusual activity or locating a lost device, many consider these solutions to venture too far into employees’ privacy.
The bottom line is that BYOD security, like enterprise security, requires a multi-faceted approach that addresses the potential risks while minimizing intrusions on employee privacy and usability when it comes to personal use. Context-aware security solutions that provide control over user access, applications, network connectivity, and devices, in addition to encryption capabilities, combine the key elements necessary for ensuring enterprise security in the BYOD landscape. Enterprises embracing these solutions capitalize on the benefits and reap the rewards of BYOD, such as employee productivity and satisfaction due to greater work-life balance, while effectively mitigating the security risks that once plagued companies adopting BYOD.”
At Adaptive Office Solutions cyber security is our specialty. When you know your technology is being looked after, you can forget about struggling with IT issues and concentrate on running your business. By making an upfront investment in your cybersecurity, you can lower your costs through systems that are running at their prime; creating greater efficiency and preventing data loss and costly downtime.
To schedule your Cyber Security Risk Review, call the Adaptive Office Solution service hotline at 506-624-9480 or email us at helpdesk@adaptiveoffice.ca