BYOD Security: Expert Tips on Policy, Mitigating Risks, & Preventing a Breach
30 data security experts discuss the best policies on BYOD and how to prevent a breach.
Despite all of the security risks BYOD poses to an IT environment, the trend of businesses embracing bring your own device in the workplace continues to grow at a rapid pace.
Some of the main reasons companies of today are so accepting of BYOD in the workplace usually relates to employee satisfaction and increased productivity: employees who are permitted to use their own devices in the office are generally more satisfied and some 43% of employees connect to their emails on their smartphones in order to get ahead and ease their workload.
Since it seems that BYOD is quickly becoming the new standard in workplace technology rather than an exception, we wanted find out how companies who are already investing in a BYOD workplace, or are planning to do so in the near future, are keeping their data secure. To do this, we asked 30 data security experts to answer this question:
"How can companies keep data secure in a BYOD environment?"
See what our experts had to say below:
Meet Our Panel of Data Security Experts:
Tom Smith is the VP of Business Development of CloudEntr, a Gemalto product that allows a simple and secure way for businesses to access the cloud. He has over 30 years of experience with security, mobile, and cloud technologies including founding executive roles at four technology companies. In his current role as VP Business Development and Strategy, CloudEntr at Gemalto, Tom is helping define and execute Gemalto's identity and access initiatives in the cloud.
Just when IT departments thought they had the local network locked down and somewhat secure, BYOD reared its head and introduced a litany of unforeseen challenges. The first step in keeping your business safe in the age of BYOD is...
To encrypt the data itself so you are prepared for the inevitable breach.
Beyond that, you should have a BYOD policy in place that includes mobile device management (MDM), which gives IT access to any devices that may access your business network along with the capability to revoke access or even wipe a device if it is lost or stolen, and outlines policies and protocols for accessing company data from remote locations.
Companies often restrict remote access to sensitive data by device-specific identifiers such as the MAC address. Furthermore, it is important to provide an identity access management (IAM) solution to your employees that offers two-factor authentication. By mandating using more than a single factor for authentication, you can be assured that an employee's device hasn't simply fallen into the wrong hands with a cached password granting the device holder access to your sensitive data.
Alastair Mitchell is President, CMO & Co-Founder of Huddle, the enterprise content collaboration platform. Huddle is Alastair's third internet start-up, and one which he founded with Andy McLoughlin as he was frustrated by existing enterprise technology's inability to help people work together. Spending millions of dollars on a SharePoint implementation, only to watch it fail dismally, was the final straw. As a result, Huddle was born. Since setting up the company in 2006, Alastair has grown Huddle to around 170 people in London, San Francisco, New York, and Washington D.C., raised $86 million in funding and seen sales double year on year. In his roles of President and CMO, Alastair is focused on scaling Huddle's global brand and market impact.
This is my advice to companies working in a BYOD environment who need to keep their data secure...
Companies need to wake up and realize they're facing a massive security issue and risk having their intellectual property walk out of the door with people. There's a huge amount of information available in enterprise content stores and knowledge workers are struggling to find ways to access, work on and share this with everyone they need to. Failed by legacy technologies, which were designed to keep content locked inside an organization, employees are looking for easy ways to access what they need.
This has resulted in free-for-all use of personal cloud services, external hard drives, smartphones and USBs, turning the enterprise content store into a giant, unruly jigsaw puzzle. With people busily stashing data all over the place, companies simply have no idea where their content is kept. Information needs to be stored centrally so that everyone with permission can access it, regardless of whether an employee has left the company.
Stephen Pao serves as General Manager, Security Business, at Barracuda Networks, where he is responsible for strategic product direction, definition, program management, and development for all of the company's security products. The Security Business brings together Barracuda's content security, network security, and application security product portfolio, as well as the Barracuda Central content team. He has more than 20 years of experience in high growth technology companies based in both Seattle and the Bay Area.
At Barracuda, a lot of our end users are embracing BYOD, so we have some tips/best practices for welcoming personal devices into the network environment and how companies can be flexible without compromising resources. It is important to note that BYOD environments bring a number of security challenges that organizations need to be aware of:
- Increased exposure to malware and infections due to lack of control and visibility into personal devices.
- Data leakage becomes a primary concern as these personal devices now have access to sensitive corporate data.
- General IT supportability of BYOD environments is difficult due to the large variation of personal devices, platforms, operating systems, etc.
Today, so much messaging is happening over collaboration applications, such as Skype or iMessage, that use transport encryption that is not easily intercepted, and most organizations are not set up to regulate their usage. Even social applications, such as Twitter direct messaging, Facebook Messenger, and LinkedIn inMail, which are easier to regulate, are often allowed for business communications, leaving organizations in a place where they might not strictly comply with their own information management policies.
Here are a few tips for what organizations can implement to mitigate the risk and challenges of supporting BYOD policies. Mobile Device Management solutions should work closely with organizations' wireless and security infrastructures to:
- Offer a secure and reliable internet experience
- Help manage device and application settings to ensure data integrity and security
- More easily distribute corporate network settings (proxy, WiFi, Exchange, etc) to personal devices upon enrollment
- Be sure to have strong passwords and encrypt sensitive data when sharing with colleagues
- Set strong application control policies (this could be blocking Facebook Chat/games, Skype video, etc.).
Klaus Brandstatter is Managing Director of HOBsoft, a German software company and market leader in secure remote access solutions.
In order to protect against the many security risks involved with operating in a BYOD environment, managers must...
Acknowledge the rationale and benefits associated with granting employee access from mobile devices, as well as implement a comprehensive security strategy in order to allow it.
For instance, IT security managers can provide a company-issued mobile app that uses an encrypted connection to communicate directly with corporate servers, granting employees a convenient, user-friendly mechanism for secure remote access. Such an app could, for example, connect the mobile client with a Microsoft Exchange Server, thus granting the user access to their emails, calendar, contacts and notes. For maximum security, only data that is immediately required for the display should be sent to the mobile device.
Also, the data should only be loaded into the main memory for as long as the application is active. Once it is terminated, none of this data will remain on the device. In the event that the device is stolen or lost, there is no risk for a data breach, since the data remains hosted on the corporate server, and not the device. A company-issued mobile app can also prevent unauthorized access by requiring a login and password.
The business benefits of implementing a BYOD policy abound: elimination of the overhead costs associated with providing employees with and powering multiple company devices as well as increased employee flexibility and workflow coupled with the ability for employees to work remotely. But with these benefits, corporate data becomes vulnerable, which is why companies with BYOD policies should also implement secure remote access solutions.
Businesses with BYOD policies should also instate secure remote access policies, only permitting employees to access corporate data through an encrypted SSL or IPsec connection. Due to strong encryption algorithms and modern authentication methods, these solutions are a surefire way to keep corporate data safe in a BYOD environment.
Mike Meikle is Partner at SecureHIM, a security consulting and education company that provides cyber security training for clients on topics such as data privacy and how to minimize the risk of data breaches. Mike has worked within the information technology and security fields for over fifteen years and speaks nationally on risk management, governance and security topics. He has presented for Intel, McAfee, Financial Times, HIMSS and for other Fortune 500 companies. He is also a published writer with articles that have appeared in American Medical News, CNBC, CIO Magazine, Los Angeles Times and Chicago Tribune. He holds a Certified Information Systems Security Professional (CISSP), a Project Management Professional (PMP) and Six Sigma Green Belt.
Securing data in the cloud can be problematic, before the added complexity of managing the data on a mobile device. However, mobile platforms (phones, tablets, etc.) are becoming the access point of choice for the enterprise and so this issue needs to be addressed swiftly. Whatever solution the enterprise implements for data security it should follow the security principles of...
Confidentiality, integrity and availability.
Data confidentiality entails the protection of sensitive information from unauthorized users. Data integrity encompasses changes to the data and the identification of the individual or system that changed it. Availability is whether or not the data can be accessed by users or systems when required.
There are some standard security technical controls that can be implemented to protect data in the cloud. Mobile device or mobile application management (MDM/MAM) software installed on the user's mobile device is a good first step in securing and controlling sensitive corporate data in the cloud via a mobile platform.
On the risk management process side, organizations should know what is riding on their network and accessing their applications. With appropriate asset, network, log and mobile device management controls this would be a relatively "easy" process. However, certain industries – healthcare and government for example – lack a certain IT maturity level that other industries take for granted (see financial). Establishing proper asset and data management processes and procedures should be a high priority for industries with sensitive information.
One of the biggest offenders to data security is email, especially if companies use a cloud-based service. Sensitive data contained within emails is bounced around multiple servers where copies of this data can be stored. Utilizing an encrypted email client is a cost effective way of reducing the risk of a data breach via email.
Unencrypted emails, chat and photos present a large risk when stored on a mobile device. When the device is lost, which happens often, then this information could be extracted. Having the right controls (technical and risk management) for your enterprise mobile device infrastructure is key.
Simon Specka is CEO of ZenMate, an internet privacy protection service which has been downloaded over 8.5 million times in 180 countries since 2013. As a global citizen and frequent traveler he experienced the annoyance of restricted internet first hand. Simon is passionate about great user experience and likes to think outside the box to develop new solutions for unsolved problems. With a broad background in international business and innovation management as well as a liking for technology he is able to develop and execute all business related aspects of the startup.
As the workforce gradually moves towards BYOD, the safest way to protect any company data is...
To secure the online connection through encryption.
Companies can use a VPN cloud-network tool that uses secure servers for online security and privacy. This allows companies to secure their data, including any app data, by replacing personal employee IP addresses with a generic IP address. This helps to block out any hackers that may attempt to steal company information through employee devices.
Johnny Lee is the Managing Director of Forensic, Investigative & Dispute Services at Grant Thornton LLP. He is a forensic investigator and attorney, specializing in data breaches and cyber security.
How can companies keep data secure in a BYOD environment?
The short answer to your question is through a thoughtful combination of people, process, and technology. There are also an exciting newer technologies, such as containerization, which are helping companies achieve BYOD security.
Michael Thorne is CTO of Fintech company Bristlecone Holdings.
Keeping data secure in a BYOD environment starts with...
Implementing and enforcing a company policy surrounding personal electronic devices.
It's easy to put in writing what shouldn't be done, but actually holding employees to those policies can be difficult. This is especially true for an organization transitioning from seed or start-up to growth stage, as more often than not security is overlooked or exchanged for speed and convenience. That policy should help educate employees on best practices regarding company data security. Devices' lock screens should be password and/or biometrically secured. Devices should not be "jail-broken" or otherwise compromised from their original state. Software and apps should be kept up to date with the latest security patches and OS upgrades. Only trusted software from reputable sources should be installed.
Data security isn't necessarily just about keeping the intentionally malicious users at bay, it's also about protecting your data against the users who have inadvertently become carriers of "electronic disease." One way to help is to have three different layers of security for your network to limit access to sensitive data through different tiers: a public or guest network, a private intranet network and finally, if necessary, a secure and limited access network. The three can be fed from the same internet pipe, provided they all are behind a properly configured and robust firewall device. The "guestNet" provides a convenient place for visitors to have internet access as well as employees who have brought unauthorized devices from home.
Providing this type of access offers a convenient channel for people to get what they want (internet) without significantly compromising the company network just so someone can check their favorite social media. The private intranet network is where the majority of work is conducted, but is also only for devices that have appropriate authorization and meet more strict security standards. This means PCs and laptops authorized from a domain server as well as BYOD electronics that have some form of authentication software installed such as a mobile device management (MDM) suite.
The idea here is to make sure that the devices connecting to the network with more sensitive data are authorized to do so and meet some standard of authentication as well as virus, malware and spyware prevention and protection. The most secure data should be kept extremely limited and not accessible to BYOD devices. It should only be accessible through two-step authentication measures and should be user limited, IP restricted (if possible) and/or only available from behind secure VPN connections.
Steve Durbin is the Managing Director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber security, BYOD, the cloud, and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.
In order for organizations to keep data secure in a BYOD environment...
They need to determine their requirements and understand the risks associated with connecting employees' devices to the organization's infrastructure and allowing personal applications and cloud storage to co-exist with corporate data.
This risk assessment should be regularly updated, as hardware and software change. Organizations should also determine and communicate the intended and acceptable use of privately owned devices, specify which devices and operating systems are supported, and when new ones will be added. Staff must be assigned to manage the technical infrastructure and provide support to employees.
BYOD initiatives promise significant benefits, including improving productivity, attracting and retaining talents and reducing costs. But these business benefits will only materialize if the initiative is carefully managed by the organization. Organizations with the appropriate expertise, leadership, policy and strategy in place will be agile enough to respond to the inevitable security lapses. Those who do not closely monitor the shifts of BYOD could very well be left behind.
Dan Adams is CEO of New England Network Solutions (NENS), a Managed IT Services company, and is a serial entrepreneur who ran his first retail operation at the age of 14. Dan is passionate about sharing his success strategies with fellow entrepreneurs and learning from their experiences. He founded NENS in 1993 and over the years, owned and managed several start-up companies. Over the years NENS has been repeatedly recognized by receiving industry awards such as CRN MSP 500, MSP Mentor list of top 250 MSPs and Ingram Micro's SMB 500.
Security is a business owner's number one issue when it comes to a BYOD environment, but many companies appreciate the benefits of providing employees with their best chance to be productive and flexible. This is why it is imperative to consider the following to keep your biggest asset [your data] secure:
- Choose the right tools. Any old webmail service will do for personal use, but when running a business it pays to invest in a secure, business-class email service — especially if your company operates under a BYOD policy. But business-class email can be pricey, especially for a small business on a limited budget. A subscription to Microsoft Office 365 includes secure email for your employees, with ActiveSync support for every major mobile platform. It's one of the only cloud-based platforms, alongside Google Apps for Business that meets the minimum security-standards for usage by U.S. Federal Government agencies. It's affordable, too, at about $4 per employee per month. As a bonus, users gain access to the full Office 365 suite, which opens up secure, cloud-based syncing for your Office documents, calendar and more. Just last month, Microsoft announced they added Mobile Device Management (MDM) to Office 365. Google apps for business is a Cloud based service that can be used to securely access and coordinate business information, schedules and documents. Also highly regarded from a security standpoint and cost effective.
- Create and enforce a BYOD Policy.
Documentation and system processes are the key to relinquishing control over your data. Not only should companies create a full policy and share it regularly with their staff, but it also must be enforced and clearly understood at every level. It will live as an ever-changing document, so keep it live on something like a Wiki where other live documents live and update it when technology changes.
82 percent of BYOD are smartphones, which means it's very important to consider employee access to files outside of the workplace. What to include in your policy:
- Rules for setting lock screens and passwords.
- Limited connectivity to network.
- Require use of VPNs and virtual desktops.
- Enforce updates and patches.
- Location tracking software.
- Get back your old devices. Keep tabs on the locations of your outdated devices that may still have access to data. That means Scott from accounting's ten year old son should not be walking around school with an old company Smartphone. Have the person in charge of IT keep a live track of inventory and have him/her wipe devices clean before donating or tossing them. Technology is unique in that consumer behavior often leans towards customized and personalized devices over the mainstream. So, what does that mean to a business owner? Sally wants to use her iPhone 4 while Bob prefers his Android and they are collaborating on the same project. The good news is 49 percent of US IT Managers strongly agree that BYOD improves worker productivity [According a recent article: Insights on the Current State of BYOD article from Intel]. Leaders who allow a BYOD environment will come out on top, so long as they do their homework to cover their assets.
Tim Prendergast is CEO and Founder of Evident, a cloud security company and the first company of its kind to offer continuous cloud security technology for Amazon Web services. With well over two decades of experience pushing the limits of technology, Tim set out to create the first next-generation security company, Evident.io, focused solely on programmatic infrastructures (cloud). Tim co-founded Evident.io to help others avoid the pain he endured when helping Adobe adopt the cloud at a massive level. After years of building, operating, and securing services in AWS, he set out to make security approachable and repeatable for companies of all sizes.
One of the biggest challenges with BYOD environments is...
The distribution and perceived lack of control over data stored across the many devices.
This is directly addressed by one of the key features of cloud technology -- the ability to store disparate data in a centralized service location while maintaining security control. Users could leverage any device they wish to use, and access their data or perform work on a series of cloud services that retain control of the data. This makes the various devices of users the equivalent of thin clients when it comes to data viewing, processing, and manipulation.
The IT department could maintain encryption policies, access rights, and a number of other security controls on the data that are enforced regardless of the device a user chooses or brings to the office.
Ondrej Krehel is the Founder and Principal of LIFARS LLC, an international cybersecurity and digital forensics firm. He's the former Chief Information Security Officer of Identity Theft 911, the nation's premier identity theft recovery and data breach management service. He previously conducted forensics investigations and managed the cyber security department at Stroz Friedberg and the Loews Corporation. With two decades of experience in computer security and digital forensics, he has launched investigations into a broad range of IT security matters-from hacker attacks to data breaches to intellectual property theft. His work has received attention from CNN, Reuters, The Wall Street Journal and The New York Times, among many others.
Unprotected devices can pose some very serious security risks and can serve as an entry point for hackers seeking access to otherwise secure networks. Properly securing your BYOD network should include...
Having a well-defined email security policy. For example, not letting users download large archived files from a mobile device, as this may be a sign of unauthorized access.
Next advice would be to have layers of security. For example, to require each new device to be firstly authenticated to the domain controller.
You should also require authentication to gain access to certain information. For example, it is a good idea to use Access Control Lists (ACLs) on your corporate network. These would define which devices, users, apps, etc., would be granted access to specific areas of your network. This would limit the amount of network that a compromised device could access, thus limiting the potential for unauthorized access.
This is a good rule to follow in general: give the least amount of access to the least amount of users. This means that a sales person should not have access to HR files, since there is no reason for them to have it. Because if the sales person's device will get compromised, the attacker will not have access to sensitive files from another department.
Yair Grindlinger is a Co-Founder and CEO of Firelayers, a provider of cloud gateway security. Yair brings to FireLayers many years of experience in technology, security and business leadership. Before FireLayers, Yair co-founded SupportSpace and served as its CEO for six years, leading it from inception to a business that partnered with Fortune 100 companies, and generated tens of millions of dollars in yearly revenues. Prior to that Yair was the CEO of Port Authority (acquired by Websense NASDAQ: WBSN), a fund Manager at STIVentures and worked with Doron Elgressy at Security-7 (acquired by Computer Associates, NYSE:CA), where he managed the company's international sales and marketing operations.
This is my advice for companies working in a BYOD environment who need to keep their data secure...
The focus for keeping data secure shouldn't be on BYOD devices, it should be on applications, no matter which BYOD device is used.
You need a cloud security gateway that can enforce corporate policy in cloud applications and data such as with Salesforce, GitHub and Box as well as homegrown apps. This gets around the problem of pinning your security hopes on device management, which is problematic because people are constantly upgrading, changing their device of choice. That's why you have to secure BYOD usage at the cloud application level.
Paul Hill is a Senior Consultant at SystemExperts, an IT compliance and security consultancy, and works to provide clients with both strategic and practical guidance to build effective security organizations.
To have a successful BYOD program, companies must...
Maintain the security of their systems and the confidentiality of data. The four most basic BYOD technical controls that a company must implement are:
- The company must know what devices are being used legitimately, so each device should be registered and authorized.
- A PIN or pass phrase must be used to access the device.
- The ability to remotely lock and wipe the device must be enabled.
- Employees must report lost or stolen devices in a timely manner so that they can be locked and wiped.
Additionally, a successful BYOD program should include policies and training to protect both the company and the employee:
- Do have policies that require employees to waive all liabilities in the event that the company remotely locks or wipes a device.
- Do have relevant acceptable use policies that also describe what is prohibited, such as using jailbroken devices.
- Do provide security awareness training about the risks associated with mobile devices and the importance of timely reporting of lost or stolen devices.
Stuart Barr is the COO of HighQ, a secure enterprise collaboration software. In his leadership role, Stuart leads product strategy, design, marketing and client engagement at HighQ. Stuart has a strong background in business strategy and consulting as well as extensive technical and general management experience. Stuart has a diverse background with web technologies and social computing in the professional services industry.
If you're going to allow a BYOD culture to thrive in your business, you must...
Implement a clear BYOD policy so that employees clearly understand their responsibilities (from reporting any loss or theft of devices, through to maintaining acceptable security and passwords).
Your policy should provide guidance to users on how they can use their own device to process corporate and personal data and should also clarify that employees can only process corporate personal data for corporate purposes.
You should specify the types of personal data that can be accessed, as well as which devices can be used. The more specific you are, the better – you want to avoid any miscommunication regarding suitable usage so that your confidential company data is as secure as possible. It is recommended that antivirus software is installed on personal devices and technical support is provided to employees on their personal devices.
Companies should also consider putting password policies in place for strong authentication of users and encrypting sensitive data if they haven't already done so.
Bernhard Mehl is Co-Founder and Head of Security at KISI Inc., an enterprise physical access control provider for smartphones.
How can companies keep data secure in a BYOD environment?
- Manage your company WiFi well. Ideally you have 4 WiFi's: corporate, employees, visitors and devices. Since every device will be connected to the network this is very important.
- Use SSO services like Okta to authenticate the user independent of the device used.
- Use apps that allow remote log out/management of the user login. For example there are apps which can be force-logged out from an admin dashboard.
- Understand which data is stored on the device before you deploy a new app. At my company we only do API calls and store nothing beneath login credentials on the phone. Our cloud serves as intermediate and can regulate or turn off traffic if needed.
Chris Camejo is the Director of Assessment Services for NTT Com Security, a global information security and risk management organisation, which delivers a portfolio of managed security, business infrastructure, consulting and technology integration services through its WideAngle brand.
BYOD provides opportunities for organizations to improve productivity, efficiency, and agility of a mobile workforce. However, BYOD has also heightened security risks for organizations. With corporate data on a personal device, it is especially important that organizations...
Implement appropriate safeguards to protect themselves from potential data leakage.
Data loss through unmanaged mobile apps, loss or theft of the device or malicious software can occur and create significant risk to the organization. It is essential that enterprises are able to manage mobile devices as part of their overall security strategy. Implementing security controls, such as mobile device management (MDM), and applying consistent policies can help protect the organization from security threats and data loss.
MDM acts as a natural extension to the core risk and security strategy of the enterprise, allowing organizations to centrally manage and apply policies from the cloud and protect sensitive data on BYOD devices. Similar to any other software being deployed on a large scale, we need to ask the questions "is it secure?" and "what are the risks?".
Just because a piece of technology like MDM is in place doesn't mean it can eliminate all risk. Organizations should be conducting in-depth risk assessments using methodologies like ISO 27005 or NIST SP 800-30, these will help determine what sort of security controls are appropriate to protect data and in some cases will indicate which data is too sensitive to put on a BYOD device at all.
Sam Liu is VP at secure file sharing services provider, Soonr, and has over 20 years of experience in mobile, cloud and enterprise solutions.
Business data security is a multi-pronged challenge in the modern working world. Further, the BYOD trend not only opens businesses up to data leakage or breaches when employees share sensitive files over unsecured wireless networks, it also increases the risk of irreversible data loss if a personal device goes missing or is stolen. One way to ensure data is protected on all of these fronts is...
To incorporate a secure file sharing solution that employs a BYOD-friendly security strategy – one that integrates device security as an integral part of the solution without hindering productivity on personal devices.
For example, 3rd party mobile device management (MDM) solutions work well to control security on company owned devices, but become a hindrance for BYOD due to personal privacy and infringement. As a result, having integrated MDM features within file sharing solutions that only affect company data is key to securing BYOD devices. These security policies should include data leakage prevention to control unauthorized download, copy and export of sensitive materials. They also need to address lost or stolen devices with remote wipe and automated recovery of business content without impacting personal data.
Taking these steps will help ensure that the rise of BYOD adoption for business use does not negatively impact security.
David Howard has been a Certified Ethical Hacker since 2009, has been in the IT field since 1998, and is featured on the ClearChannel network of radio stations as Dave The IT Guy. His blog can be found at www.dtig.net.
For companies to keep their data secure in the world of bring your own device, there are several considerations...
- First, they have to understand how employees are accessing data (via internal, web interfaces, VPN, remote desktop or mobile app). Then put a BYOD policy in place – not one that is just written out for people to sign, but a policy in which employees are trained to understand the technological differences in how they access data. At a bare minimum, that policy should include MDM (mobile device management) which gives the company the ability to remotely wipe a device in the case of loss or theft.
- Next, your policy should absolutely mandate that any device that connects to or holds company data be encrypted at the disk level.
- Third on the list is an emerging group of technology called MAM (mobile application management) so that you can ensure people don't bring in a device with software designed to steal your data (either knowingly or not).
- Fourth, of course, is to enforce use of antivirus/antimalware software so that when a device connects to your network, it is scanned for having this type of software before it allows a full connection to your network. Lastly, require strong passwords and multilevel access control. Gone are the days of P@ssword1 and similar passwords. Passphrases like I l1k3 4urre k@tz should be implemented, and once a user leaves a specific folder location (say like your company financials) and attempts to access other data (say like human resources), yet another password (not the same) should be used. Seems like quite a bit, but single sign on passwords are what have gotten Target, Home Depot and many others in hot water.
Although these are the bare minimum standards a company should consider, there are other aspects to BYOD security as well. For example, companies should consider requiring the use of in-house wireless when onsite to alleviate the outside network (carrier) from being used and potentially exposing data.
Fred Menge is the Owner of Magnir, a leading information management firm and a respected provider of records management, digital forensics, eDiscovery and information security services. Fred formed in the Magnir Group in 2006 after serving in a variety of technical and managerial positions in industries including energy, government, travel and technology. Fred's core experience includes areas of information security, records management and cloud computing. He is an expert at developing records management programs, record retention policies and conducting operational audits. Fred holds credentials as a Certified Information Systems Auditor (CISA) and a Certified Information Security Manager (CISM). Fred is a member of the Association of Records Management and Administrators (ARMA), a member with the Northeast Oklahoma Information Systems Audit and Control Association (ISACA) and an adjunct faculty member with Oklahoma State University.
A simple, effective method for securing cloud based data on a BYOD is...
To secure the device with a PIN.
With Apple's new iPhone, data is encrypted on the device and cannot be unencrypted without the passcode. Another effective method for keeping company data secured in the cloud with a BYOD device is to allow the company to remotely wipe the data contents of a BYOD if an employee or contractor loses their device.
In this scenario, the company must have an enterprise BYOD policy in place stating that the company is allowed to remotely wipe the contents of a device if the device is lost or stolen.
Karol Bronke is Product Manager of the Relution Enterprise Mobility Management Suite.
The best way to keep enterprise data secure in a BYOD environment is...
To use enterprise web apps inside of a secured container.
All web apps which are developed by your IT department or a 3rd party supplier can be managed within a mobile app management (MAM) tool and the whole app with its data is secured. The end user just needs the container app to receive new company apps and updates.
The web apps can be fully controlled by setting the correct rights for the right people. Enterprise data is handled inside the secure sandbox of the container app. Web apps have the advantage of being platform-independent, so you do not have to have resources for development for Android, iOS and Windows phones. Additionally it is easier to find the right developers. Last but not least, the packaging and signing process of apps within a secured container is a lot easier than with native apps.
Pavel Krcma is the CTO of Sticky Password where he utilizes his software engineering expertise to design software architecture and create new updates for the company's password management software. He has more than 15 years of experience in the security industry and is the former head of the virus lab at AVG Technologies. Pavel speaks on topics related to malware and cybersecurity and has also co-authored several articles about online security.
To mitigate possible problems that come from a BYOD environment, I would recommend to use these practices:
- Apply password enforcement. Although it's quite unpopular, there really isn't anything better for service access than strong passwords that are changed from time to time.
- Use encyption on all levels. Your connections should be secured (HTTPS, VPN), your important documents should be encrypted and devices should have encrypted storage. Even mobiles offer this functionality now.
- Enforce good device security. By this I mean good passwords for access to devices (mobiles, notebooks, etc.), use of antimalware systems and following standard security practices like ensuring that your OS and critical applications are up-to-date.
Darren Guccione is the CEO and co-inventor of Keeper Security. He started the company with extensive experience in product design, engineering and development. At Keeper, Darren leads product vision, global strategy, customer experience and business development. Prior to Keeper, Darren served as an advisor to JiWire (www.jiwire.com), now called NinthDecimal. NinthDecimal is the leading media and technology service provider for the Wi-Fi industry. He was formerly the Chief Financial Officer and a primary shareholder of Apollo Solutions, Inc., which he and his partners sold to CNET Networks, Inc. in June 2000.
The popularity of BYOD (Bring Your Own Device) policies at companies is forcing IT to reconsider their mobile cybersecurity strategy. It is possible to keep work and personal emails separate on employees' smartphones, but if sensitive information is on those devices it can easily be hacked if the employees are not educated. The no. 1 way for an organization to protect itself from a data breach in this case is...
To guarantee that a data-protection strategy is in place for work emails to ensure that all sensitive data is encrypted, proper controls are in place to permit access to that data, and that the policy is consistently tested and audited for effectiveness in preventing data-loss from both external and internal threats.
In a BYOD corporate culture, enterprises are at risk of having their employees' smart devices being hacked because of poor passwords. In fact, a 2014 Verizon study showed that 76% of breaches on corporate networks are due to a weak employee password (one of the most common is: 123456). For instance, Target's loss of nearly $100 billion was due to one username with a simple password getting hacked.
The easiest way to solve this common security threat is to ensure that employees use strong passwords through the use of a password management application - ideally one that utilizes two-factor authentication as an extra layer of security. This simple step can provide a cost-effective pro-active solution to one of the easiest layers for hackers to compromise - the password.
Andrew Bagrin is the CEO and Founder of SECaaS provider, My Digital Shield, and has over 17 years of experience within the security space.
When it comes to keeping data secure in a BYOD environment...
The best rule of thumb is if you don't have complete control of the device, limit its access on the network.
If a device is brought in that has been connected to other networks and leveraged for other non-work related tasks, make sure all of its activity is scanned, filtered and that your network is properly protected from it. I would normally setup a separate wifi network for BYOD and give it limited access with plenty of filtering. BYOD is a great, easy way to make your employees productive, but it also by nature carries significant risk that needs to be addressed.
Julian Weinberger, CISSP, is Director of Systems Engineering at NCP engineering, based in Mountain View, California. Julian is an information security expert with expertise in the areas of SSL-VPN, IPsec, PKI and firewalls. At NCP engineering, he develops IT network security solutions and business strategies.
How can companies keep data secure in a BYOD environment?
In our ever-changing digital world, companies are constantly confronted with the challenge of keeping data secure against new, dynamic network threats. A potential vulnerability stems from personal mobile devices, which employees could use to connect to corporate networks whether a BYOD policy is in place or not.
Riding on the tide of the Internet of Things, the number of devices able to connect to corporate networks are rapidly increasing, and IT departments must work quickly to improve their network security. The first step is to implement an overall approach for user and device management that is aligned with the organization's security plan.
Employee termination procedures should also be adapted to the BYOD environment, with emphasis on security policies that are centrally managed and strictly enforced. The best approach is to connect user-provisioning and identity systems with VPN administration. By connecting the HR database with user provisioning, all access to corporate systems is denied from past employees' devices as soon as they are marked terminated in the HR database.
Additionally, a process is needed to remove all company data from past employees' devices. Implementing a mobile device management or container solution-which creates a work environment on the device-provides an easy-to-administer method of deleting all corporate data and access to confidential information when employees leave the company. This approach also neatly handles situations when a present employee's device is lost or stolen.
Finally, IT departments should raise the base level of security across the entire network, as taking a proactive approach, instead of an ad hoc one, will better protect devices from attacks. As the network security landscape continues to shift, it's the companies that evolve-and realize remote access policies and processes must change with each new risk - that will keep their data secure in a BYOD environment.
Jeff Frankel is Executive VP of docSTAR, a B2B software firm specializing in cloud document management solutions and business process automation. He has more than two decades experience in corporate business development, working with industry-leading firms including Authentidate Holding Corp, Med-Flash, Health Focus of NY, and Ernst & Young. Jeff offers innovative perspectives on streamlining business for improved efficiency and productivity.
How can companies keep data secure in a BYOD environment?
- Be Proactive: The first answer is obvious - have a proactive BYOD strategy that informs employees on how they are to handle company data whether working from home, the office, the airport, or the beach. BYOD strategies can include everything from password requirements and device registering to what information may and may not be shared via mobile. This includes content. Your data is your company's greatest asset. Without a BYOD plan - you are at risk.
- Consider your ECM Options: With any ECM, tracking and workflow features ensure data is protected regardless of the device. Ensuring compliance becomes much easier when any time a file is accessed, edited or shared it is automatically tracked. There are security features to password protect any level of access to files, and the information is readily available to those who need it.
Israel Lifshitz is the CEO of Nubo Software, a company that is defining the new virtual mobile work experience for enterprise organizations. An entrepreneur and experienced CEO, Israel previously founded Sysaid Technologies, a worldwide leader in IT serve management solutions.
This is my advice to companies looking to keep data secure in a BYOD environment...
It doesn't make sense to house business intelligence tools containing data on mobile device because they are the weakest link in security. It also doesn't make sense to deploy one security patch after another in the hop that hackers won't find a way to break encryption.
The most valuable data should be kept where it's safest. This is why storing data on a secure remote server is the most preferred way to protect data going forward. By using Virtual Mobile Infrastructure (VMI), companies can keep apps and data on a secure service while allowing users to access data they need via smartphones and tables. They receive insights as a flat image than cannot be manipulated. This approach also enables efficiencies such as single sign-on processes that also enhance security.
Michael Bremmer is an Entrepreneur, Speaker, and the CEO of Telecomquotes.com, an IT and telecommunications company, who has over twenty years of specialized experience in telecommunications and technology. Michael also sits on the advisory boards of several companies, including Telepacific Communications, Megapath, Cbeyond (now Birch) and Channel Partners/Cloud Partners national technology boards.
Here are what I consider as required items for BYOD security...
- You need a specific agreement with your employees covering your BYOD policy --reimbursement stipends, data rentention/security/human resource policies (a bit of ink in the beginning saves a ton of pain in the ending).
- A service/application that allows you to securely CONTAIN/SEPARATE business data from personal data so on demand wipe doesn't destroy baby pictures...several services offer this.
- A specific IT policy/media plan for when a breach happens...because you will EVENTUALLY have a breach.
Eric Ratcliffe is the Director of Sales at 360 Advanced, P.A., a licensed Certified Public Accounting (CPA) firm and authorized Payment Card Industry Qualified Security Assessor (PCI QSA) specializing in technology assurance, compliance and consulting.
How can companies keep data secure in a BYOD environment?
Be careful about BYOD.
As more and more companies follow the popular trend toward permitting employees to bring your own device, or BYOD, allowing company information to be shared over numerous employees' personal devices puts all data at risk because you cannot be sure the machines are safe. If you don't have the ability to see into them to make sure they are running controls and have the latest virus definitions, all of your corporate secrets could be going out the window. Smart phone infections are common and becoming moreso. You should have a corporate policy in writing limiting access to financial information, client contracts and other sensitive (and valuable) data on personal devices. Also, keep these things in mind...
- Don't think you are too small to be hacked. In fact, a clear trend now is for smaller companies with lax IT security standards and numerous unmanaged permissions to become easy platforms for hackers to hide and wait to enter larger firms with whom the small ones do business. Small firms today are the low hanging fruit that cyber thieves are stalking as larger firms become more vigilant and harder to penetrate.
- Renew your dedication to the principle of least privilege. Immediately conduct an audit of permissions of access, and cut back. Over time, through the phenomenon of permission creep, too many people have access to information who should not. The big problem is awareness. My rule is know thy network, and people don't. On several projects, when we point out the dangers of too many permissions, we're told, 'well, nobody could do anything with that data,' and then we'll show them what could be done with that data using the privileges that they thought were safe.
- Beware vendor access. A vital component of the rule of least privilege is to thoroughly and regularly analyze what access you have allowed for your vendors. As increased use of extranets grows, know your vulnerability, and avoid opening the door to a vendor's access to vital company information without a thorough compliance audit. Obviously, your HVAC vendor should not have access directly to the same set of computers where you store your payroll data. Such routes through vendor sharepoints and extranets are favored by hackers.
- Consider your liability. If you are a third-party vendor managing information for one or more - or dozens - of clients, be aware of the civil liability of not having the proper controls and allowing unauthorized criminal access to your client's propriety data. While carelessness in this area has not reached the level of criminal negligence at this point, there are indications that governments are moving in that direction. If you unknowingly allow one of your machines to essentially become a bot working for paid hacker, you can be held liable for real and actual civil damages. At the least, you will lose perhaps hundreds or thousands of man hours and participating and supporting the criminal investigation into how it happened.
- Don't just check the boxes. If you manage data for a client, invest the time and money to achieve compliance in one or more of the nine most important information security levels you may need, depending on the type of client information housed. Those levels are compliance with the Health Information Portability and Accountability Act (HIPAA); SOC 1 and SOC 2, which are the AICPA Service Organization Control Reports; Penetration Tested Service Organization (PEN); Payment Card Industry Data Security Standard (PCI); ISO 27001; Standard Information Gathering (SIG); Federal Information Security Management Act (FISMA) and the Experian Independent Third Party Assessment (EI3PA). However, after you earn compliance, the real work begins. You can't just check the boxes and relax. Develop a culture dedicated to information security. Self-test is a continual thing. Any time there is any structural change to the network, a new server, a new gateway, a new firewall, especially if you bring in a new vendor, or host new client server, consider how these changes can impact overall security. Avoid complacency at every level.
Yehuda Cagen is the Director of Marketing & Communications for Extreme Technologies, a hybrid consultancy of professional services, staff augmentation, and search under one umbrella.
In my experience in cloud computing there are a myriad of ways to keep data secure in a BYOD environment. The key ingredient is...
Communication between the IT department and upper-level management and communication between all business constituents, including HR.
For example, you can employ a way to remotely manage the environment, but many employees have personal and business data on a single and some won't want to have their data remotely wiped. Furthermore, many employees may not want to have management track their whereabouts after hours by tracking their mobile devices.