Recently, we went to a lunch that featured a speaker from a leading IT services firm. The speaker was once the CTO of a company, he told us that his IT department implemented a hard security strategy with their employees. They did not allow any employee to download any unapproved applications or access any unapproved websites. Although this strategy was not popular with the employees, it did dramatically reduce the number of IT related issues with employees hardware ad how their work applications performed. Their devices ran fast, and never were down due to security slowdowns. This type of high security type strategy would not work with BYOD. It is difficult to dictate what a person can and cannot do with their own devices, or can they? This is a question that needs to be fully discussed.
Bring your own device, or BYOD, increases flexibility at work and saves money. But, BYOD’s effect on an organization’s network can bring headaches to an IT department. The rule of thumb for everything security is an organization’s systems are only as safe as the least secure BYOD. Solutions for protecting an organization’s infrastructure often lies in their IT policies.
Bring Your Own Device Basics
If the organization allows the use personal devices, employees have the ability to work at any time and from any location — including their homes. Also, employers need not purchase hardware and up-to-date tools and services. After all, employees often already own many of these tools. The first issue with BYOD is that employees might not have the most robust security protocols that a company might have in place. So, these BYOD’s often help to make an organization’s data vulnerable to cyber attacks.
Avoid Data Leakage
Data leakage occurs when external or unauthorized entities get a glimpse of company information. This might include the lower level data such as your customer demographics or mid-level as personal customer data or it may be as high-level as the company’s secrets. BYOD usually enables remote access to an organization’s networks and data within. Remote access usually includes use of external email systems, relaying files via these less secure access points including text messages and collaborating via file sharing applications. While BYOD brings convenience to an organization’s environment, it sets the stage for data leakage to occur.
As employees’ personal and business lives blur, opportunities for data leakage increase. For example, employees might connect via social media and share information about their companies or their jobs. Some of this information should remain within the companies’ cyber walls. But now, the employees’ connections and friends can view this information. If employees use hot-spots for their access to the company data, the data sent over these access points may also compromised leading to data leakage.
Data leakage is not always a measure of an employee’s oversight or carelessness. For example, employees often use file-sharing applications to transfer files to each other. These applications are also useful for project collaboration. But, criminals lurking in Internet cavities love file-sharing applications. This is because they can trick unsuspecting employees into downloading and sharing mislabeled files, which might contain malware.
• The Solution
Organizations must overhaul their policies and include procedures for using and distributing company information. They must set clear boundaries for the use of- and communication about their data. Policies must address employees’ permissible use and sharing of company information. Furthermore, policies also must include repercussions for violations of these policies.
Protect Against Outdated Applications and Devices
The latest version of an application or device often contains fixes for vulnerabilities in older versions. IT departments often have protocols in place to update the company’s systems and applications. But, employees aren’t always as diligent with their personal devices. So, malware can hitch a ride via old applications and devices and then wreak havoc on the company’s network.
• The Solution
Set protocols to check any device that connects with the company’s network for security risks. Employees might bark the moment IT staff mentions remote monitoring of their devices. The fear of “big brother watching” is real. But if BYODs are to be a part of the company’s environment, companies must monitor these devices and protect their systems.
Mitigate Problems Stemming from Lost or Stolen Devices
It happens. Employees sometimes misplace their devices. Other times, thieves steal the devices. The “lucky new owner” is likely not authorized to view the company’s information. Because employees often store passwords in their devices, the new owner now has access to the company’s network. Keep in mind that this new owner is under no obligation to secure the device from cyber attacks.
• The Solution
Company policies must include procedures that enable employees to report lost or stolen devices. This reporting must be available at anytime of the day and on any day –including when the company is closed for business. The company must then follow up with protocols that remotely wipe data that is on a device and any links to the company’s network.. Employees might be reluctant to allow the company to have that type of power over their device, for fear of losing their personal information. But, it’s crucial that companies include this process in their policies as a way to mitigate the risks associated with lost and stolen devices.
Additional Articles about BYOD: