Personal digital devices are so popular that employees are bringing them into the workplace without management approval. This bring-your-own-device (BYOD) trend can lead to security threats. Vulnerable devices can provide access for thieves seeking to steal proprietary data leading to potential liability and loss of reputation. Devices also provide an open gateway for malware and malicious software can infect a device with lighting speed destroying the integrity of data stored on it and on an organization’s network.
To address this issue, security needs to craft a BYOD strategy. Then, they should explore ways to use technology to protect company networks.
Although private networks and employer issued devices offer the maximum protection, the high costs of this strategy make it affordable only to organizations with deep resources. To achieve the efficiencies of BYOD without putting data at risk there is a more cost effective three-part strategy. First, establish the ownership of data on mobile devices. Second, create a BYOD user agreement, ensuring that an attorney has reviewed and approved the document. And, third, state what actions will be taken to protect all nonpublic data. Each part should be put in writing with staff and management confirming with signatures their understanding and agreement to comply.
Ownership. It is essential to declare that all information on an organization’s network belongs solely to the organization. This includes propriety information and software as well as e-mail, contact lists, calendar dates, and any type of document. Likewise, all downloaded data is to remain private, to be shared only within the work environment. The downloading of any organizational data should require specific authorization. The uploading of data must also be controlled. With the increasing use of cloud-based storage services like Google Drive, Microsoft Sky Drive, and Dropbox, massive amounts of sensitive data can be uploaded effortlessly by a BYOD user at any time from any location. There must also be restrictions on other cloud-based services. As with in-house virtualization, cloud-based services offer users processing power, applications, and software-as-a-service (SaaS). Personnel may not use these services until management has determined that they are safe. A cloud-based service could have no bad intent but have defects that could lead to data breaches.
User agreement. A BYOD user agreement is needed to govern how employees operate mobile devices in and out of the workplace. At the very least, the devices demand access protection controls. To ensure user authentication, each device must have its own private, unique, complex password that has be changed at least every six months. Passwords should never be shared with other devices, family, friends or coworkers. Simple, shared, and unsecured passwords cannot be used. Lock screens and biometric scanners are other control possibilities. Since employees can commit a data breach on an Internet social network, what they may post online must be plainly defined. All posts must be truthful and free of privileged information. (Be mindful that employees have the legal right to express their opinions whether or not they are unfavorable to their employer.) It is equally important to control what outside applications employees download. As mobile devices become more popular hackers are turning their sights on these on these tempting, vulnerable targets. An another essential control, therefore, is insisting that all devices have installed and updated antivirus software which is sadly remains a novelty for smartphones and tablets.
Protection. All personnel should be informed of the assertive countermeasures taken by management to protect the organization’s privileged information. The right to investigate and erase any device connected to the organization’s network must be explicitly declared. Employees need to know that management will examine BYOD devices to detect breaches and, if necessary, will conduct a data wipe to erase data and applications. In some cases, devices will be erased remotely and without notice. Personnel consequently must agree to have the software that can execute data wipes installed on their devices. Personal files such as photographs could be lost forever if an employee has not backed up his or her data. Make sure that all staff members understand that a wipe is possible especially for exiting personnel who are leaving under negative circumstances. An exit wipe actually should be a standard part of an employee’s resignation or termination procedure along with removing access to the network’s e-mail, information, and proprietary software.
After establishing a BYOD strategy, security should look to technology solutions to protect the corporate network. These solutions include establishing access privileges, mingling data, and enabling mobile device management.
Access. The ideal BYOD security solution is a private network that provides a secure, centralized, online workplace and grants access to only employer-owned devices that have rigorous, built-in controls. The most obvious and basic control would be the required use of a strong password. The most formable control of this solution, though, is virtualization. This approach stores all data, settings, and processing on a server or servers allowing BYOD devices only to operate as virtual viewers. Data and proprietary applications are blocked from being downloaded; assuring that no data or enterprise application processing is stored or conducted on a personal device. Also blocked is the uploading of any unapproved outside data or third-party software that could compromise a device or its network. Employees are not given the discretion to decide what is safe to upload onto their devices. The most innocuously perceived software, whether it is a playful game or popular application, can have unintentional security flaws or worst be a veil for illicit hackers.
An example of this sort of approach is the new “Black” phone being launched by aerospace and defense contractor Boeing. The phone will have built-in BYOD controls such as embedded hardware and software controls and a tamper proof case. Any attempt to open the phone’s case will automatically delete the phone’s software and stored data. The Android based device will be able connect to a dedicated encrypted network but have the flexibility to connect with outside networks too.
Mingling data. The method of limited separation, which allows the comingling of data is clearly not the best protection for either an organization’s or employees’ personal data. For securing all data and avoiding legal implications from an aggrieved employee’s loss of personal, data steps have to be taken for segregating the two types of data. Short of virtualization there is another way to maintain this critical divide. The walled garden technique uses an application installed on a digital device to separate an organization’s data from the BYOD user’s personal data. Although software that discerns professional from personal data is becoming more sophisticated, security managers must reiterate that there is no guarantee that personal data will be retained after a device is wiped.
Mobile device management. To prevent or mitigate data breaches from BYOD devices that have been compromised, stolen or lost there are a rising number of digital security vendors offering mobile device management (MDM). Besides performing remote locks and wipes, MDM applications can enforce password polices; track and find BYOD devices; and, block the downloading of suspicious applications and uploading of sensitive data. All of these tasks can be done by an organization’s IT department or by vendors that offer off-site BYOD management. A key criterion of MDM applications is that they must be multiplatform. One of the reasons for the popularity of mobile devices is that users can choose the device they want regardless of the operating system. It is not unusual for an employee to have several smartphones or tablets, each using a different operating system. This variety creates a major obstacle for protecting the vulnerability of BYOD. In selecting a MDM application, an organization must be certain that it is compatible with all the devices that its employees use.
James Drumheller, CPP has a master’s degree in Protection Management from the John Jay College of Criminal Justice and works as a security supervisor at the Museum of Modern Art.