The number of employees using their personal devices for work-related purposes is absurd. Let’s just say there’s an employee or two in every organization using personal devices at work, and be done with it.

Maybe that’s true… maybe it isn’t. The point is – and most of us know it – enterprises are embracing the BYOD (bring-your-own-device) trend at a staggering pace.

By 2017, half of employers will require employees to bring their own devices for work-related purposes, according to Gartner. The report further highlights that BYOD is happening in governments and organizations of all sizes, but is most prevalent in larger and midsize companies. Its adoption is also allowing smaller businesses to go mobile without large service and device investments.

Another study by Grand View Research finds the growing proliferation of tablets and smartphones is expected to fuel the BYOD market, which is expected to reach $238.39 billion by 2020. Reduced device and hardware cost along with the adoption of cloud services are expected to have a positive impact on BYOD implementation. The study also noted that BYOD can drive small business towards improved profitability and job satisfaction.

The motivation behind the adoption is simple: it’s becoming impractical to prohibit personal devices and more practical to use them at the workplace. Embracing BYOD policies isn’t daunting to configure but results in measurable benefits.

But at the same time, BYOD faces a fair amount of criticism, with lax security at the forefront of concerns. ZDNet says security is the most common reason for businesses for avoiding BYOD at the office.

The moving of corporate data across different networks and devices increases security risks to the enterprise network and opens sensitive doorways. This is because BYOD devices are beyond the reach of internal tech departments, and the risks are compounded by the growth in ‘unencrypted data’ on employee devices.

Enterprises make sure that their networks are encrypted and corporate data is prevented from getting into wrong hands. However, the multitude of employee devices and different operating systems fragment the encryption ecosystem and make centralized control a hassle.

That makes it difficult for internal departments to protect corporate data. The device belongs to the employee, so it is difficult to enforce a specific behavior. This is problematic, as employees may store sensitive company data on devices that may or may not have proper encryption mechanisms in place.

BYOD encryption challenges

The main argument is that there’s data in transit (the data being transferred from the corporate network to mobile devices) and data at rest (the data stored after an employee downloads a corporate file), and both need encryption. The problem is that organizations, managers, employees, and even IT assume they are the same.

The opposite is true: you can encrypt the data traversing the Internet from and to your corporate network, but when the data lands on an employee device, it can be unencrypted. Also, most organizations can’t track data effectively and hope their employees follow best practices.

This means there is no effective way of measuring the risk exposure from downloading of data, which could land on an unencrypted device. Often, though, IT professionals have no issues with the idea of leaving sensitive company information on smartphones, laptops and other devices protected only with a password.

No doubt, protecting personal devices with strong passwords indeed makes it difficult for someone to gain unauthorized and steal data, but if the device-level password is somehow compromised, there is no second level of security, so a hacker can easily get in to steal corporate data and gain unauthorized access to the company network.

Instances of data loss & penalties

The confluence of laptops, mobile devices and tablets being widely adopted across different industries and security breaches involving unencrypted devices has resulted in several examples about BYOD-related data loss and penalties. What follows are the organizations that had to suffer negative reputation, regulatory compliance backlash, and financial loss because of employee device encryption negligence in the workplace.

Horizon Blue Cross Blue Shield

Last year, two unencrypted laptops that were cable-locked to staff workstations at the insurer Horizon Blue Cross Blue Shield of New Jersey headquarters were stolen, resulting in a security breach that potentially affected 840,000 people.

The organization failed to encrypt protected health information and found it difficult to convince regulatory authorities that it was appropriate and reasonable not to encrypt data. The HIPAA Omnibus Rule states that penalties for such non-compliance can go up to $1.5 million for each violation.

Coca Cola

Want to learn more?? The InfoSec Institute CISSP Training course trains and prepares you to pass the premier security certification, the CISSP. Professionals that hold the CISSP have demonstrated that they have deep knowledge of all 10 Common Body of Knowledge Domains, and have the necessary skills to provide leadership in the creation and operational duties of enterprise wide information security programs.

InfoSec Institute's proprietary CISSP certification courseware materials are always up to date and synchronized with the latest ISC2 exam objectives. Our industry leading course curriculum combined with our award-winning CISSP training provided by expert instructors delivers the platform you need in order to pass the CISSP exam with flying colors. You will leave the InfoSec Institute CISSP Boot Camp with the knowledge and domain expertise to successfully pass the CISSP exam the first time you take it. Some benefits of the CISSP Boot Camp are:

  • Dual Certification - CISSP and ISSEP/ISSMP/ISSAP
  • We have cultivated a strong reputation for getting at the secrets of the CISSP certification exam
  • Our materials are always updated with the latest information on the exam objectives: This is NOT a Common Body of Knowledge review-it is intense, successful preparation for CISSP certification.
  • We focus on preparing you for the CISSP certification exam through drill sessions, review of the entire Common Body of Knowledge, and practical question and answer scenarios, all following a high-energy seminar approach.

Earlier in the year, the breach of unencrypted laptops at Coca-Cola affected 74,000 former and current employees. The WSJ revealed that data like financial compensation, addresses, social security numbers and ethnicity of the individuals was also compromised.

This breach raised questions such as why the sensitivity level of such information was beyond the enterprise firewall, and why it wasn’t encrypted. Coco-Cola said the company’s policy is to encrypt all laptops, but the stolen laptops were not protected. In a memo addressed to the employees, the company didn’t explain why the compromised laptops didn’t undergo the company’s strict encryption policy.

It may be that the laptops had a VPN connection and the data was inadvertently saved unencrypted to the local drives, but the fact remains that the BYOD encryption policy failed in this instance.

What needs to be done?

The security breach incidents highlight the vulnerability of unencrypted laptops and other devices brought in the workplace and serve as a reminder of the significant risks they pose to the security of customer information.

According to Ken Hess in ZDNet’s security trend watch, encryption provides one of the most robust defenses against security breach incidents between different networks. He reports that it’s the most widely deployed risk control measure, and a direct response to the primary concern of IT professionals and organizations joining the BYOD bandwagon: data loss resulting from unauthorized access to data.

Encryption, he writes, is to ensure the safety of all mobile devices (those beyond BYOD too) and is a major step in the right direction – but only if implemented correctly. This implies that proactive encryption measures are required in organizations that enable employees to use the same device for non-work and work-related purposes to remove business risk.

No matter what physical safeguards are in place to protect the devices tied to workstations, there will always be risks, whether those are insider threats, or people who have access to locked facilities. As a result, there is no substitute for encryption and other similar data loss protection technologies that make sure the data is kept at a central location and is rendered useless when an unauthorized individual tries to access it.

Companies also need to address the concern that how to control, protect and secure data after it is downloaded and processed by an employee device. Whether the need is driven by concerns to meet compliance requirements for data encryption, safeguarding corporate data, maintaining residency of corporate data, or navigating the ambiguity of legal data protections in the workplace, these organizations need to take measures to retain ownership and control of their data when it resides on personal employee devices.

To ensure protection, organizations need to implement encryption for the entire duration of the data lifecycle (in-transit and at-rest). And to prevent unauthorized access and maintain the encryption in case of a security breach, the IT department of the concerned organization should take control of encryption keys.

Therefore, an organization never has access to sensitive customer information in an unencrypted form, and an organization’s corporate data remains unreadable if an adversary tries to gain unauthorized access – or even if the organization receives a government request to disclose data.

Even if a company’s policy does not allow employees to store sensitive information on personal devices, encryption is still important. The applications used on mobiles, laptops and tablets to access the company network often cache corporate data to improve the application’s response time. Unless encrypted, the data could be potentially exposed if a device is stolen or compromised.

Conclusion

BYOD encryption policy is still in its early phase, but is quickly becoming a necessity. Building a comprehensive strategy, in the coming years, will be more about than just selecting an Enterprise Mobility Manage or a Mobile Device Management solution – organizations should gear up to provide a scalable encryption framework using tools and software that encourage agility.

Mobile devices should be allowed, with the goal of encrypting as well as limiting the presence of data at rest, so that the sensitive data is persistent to the central network and company servers instead of a device.

Expect organizations that combine strict encryption protocols with BYOD security training for their employees and adoption of trusted operating systems that allow information with multiple classification levels to be stored on devices to gain a competitive edge in their industries, especially when it comes to avoiding data loss and the regulatory fines associated with security breaches.

References

  1. http://www.gartner.com/newsroom/id/2466615
  2. http://www.grandviewresearch.com/press-release/global-bring-your-own-device
  3. http://www.zdnet.com/byod-grows-but-disagreement-remains-over-who-should-take-the-blame-for-security-lapses-7000017383/
  4. http://aishealth.com/archive/nblu1213-04
  5. http://online.wsj.com/news/articles/SB10001424052702303277704579345101243603912
  6. http://www.zdnet.com/the-top-five-trends-in-mobile-and-byod-security-7000014226/
  7. http://www.sans.org/reading-room/whitepapers/analyst/regulations-standards-encryption-applies-34675
  8. https://www.pkware.com/Blog/2014/05/22/locked-in-keeping-your-enterprise-encryption-keys-in-order