The BYOD (Bring Your Own Device) phenomenon is expanding at an incredible rate. It is something that affects every business, from the smallest to the largest. How each business is dealing with BYOD ranges from complete apathy to a full embrace of it with sophisticated processes and controls in place to maximize employee productivity while minimizing risk to the business.
The goal of this article is to give you the information you need to get control over how employees are using their own personal devices to access, store, and communicate business-owned information in the course of doing their jobs.
Even if you’ve never heard the term BYOD before, you are almost certainly aware of it.
Until a few years ago, the way most businesses gave their employees mobile access to corporate resources such as email was to issue them a device, with Blackberry devices being very popular because of their strong central management capabilities. The company would completely control the configuration, use, and security of the devices because the devices belonged to the company.
Recently the mobile devices that are marketed to consumers, which individuals are buying for their own personal use, contain sophisticated capabilities to do email, access documents over a network, run web-based intranet apps, and beyond. Employees having already bought such a device for their own personal use would much prefer to use that device for their business dealings rather than carry a separate company-issued device.
The reason that BYOD is something you need to be aware of and to deal with is that the pressure from employees to support it will only continue to grow. If your company were to completely suppress BYOD by allowing only company-issued and owned devices and completely banning the use of personal devices, you will eventually not be able to avoid the fallout of your employee’s frustration. Most employees are dedicated to their employer’s goals and have the best of intentions and want to get their jobs done in the most efficient way possible. If you take away a popular means for increasing their efficiency, they will eventually be more attracted to other companies that are not as restrictive.
But embracing BYOD for the sake of your employee’s productivity and good morale does not have to mean simply swinging the barn door wide open and letting it be a free-for-all. There are steps you can take to put processes in place, and tools to enforce elements of those processes, that will allow your employees to use their personal devices to be productive while minimizing the security risks to your company. For more information on enterprise security and the processes discussed in this article, check out our Certified Information Security Manager (CISM) certification program.
1. Know who is accessing your network and your data
This seems obvious but needs to be said. Regularly review what accounts are active for your email service, your VPN, intranet applications with their own user databases, etc. Are there any accounts active for anyone that shouldn’t have access (former employees, contractors, etc.)? Are there any accounts with unusual activity such as a high number of unsuccessful logins? Do you have any open access to business data that does not require any authentication?
This is not necessarily specific to mobile devices – you should already be aware of all the openings on your network. This includes anywhere that someone may obtain access to corporate data, and you should be monitoring the access made by any type of endpoint.
2. Know what data can be accessed remotely
Some information your company keeps that employees use for their job is not at risk of loss because it has no special value that would be compromised in the hands of outsiders. Other information is extremely valuable and must be guarded carefully.
It is helpful to prioritize the relative risk of the data that can be accessed through each portal to the outside world. Obviously, you’ll want to put more effort into controlling access to those places that have the most sensitive data and may want to put less effort, or even no effort, toward controlling access to places with low-risk data.
3. Know how employee devices are configured
Mobile devices are of particular concern when it comes to corporate data because of their high susceptibility to physical loss. Any data that the employee rightly needs access to in order to do their job is a liability if the device were to fall into someone else’s hands. In addition to the risk of their form factor, there is additional risk of data loss through electronic means. Vulnerabilities exist in all of the popular mobile device platforms.
The most immediate and effective line of defense is to minimally ensure that each device that is used to access your network is properly configured to reduce the risk of data loss from that device. The appendix suggests some specific settings that should be checked, and there are a number of other sources that give specifics on safe configuration. But the most important part is that you are using some method to ensure that employees have their devices securely configured. This brings us to the next tip:
4. Use a management and/or audit tool
The most basic way to ensure that employees are safely configuring their devices would be to give them verbal or written instructions on how to do this and expect adherence to the policies. But there are potential problems with this approach:
Employees, even the diligent ones, tend to forget about instructions – unless rigorous training is provided which makes the instructions become like second nature.
They may follow the instructions after they are first communicated, but then forget about them over time and let their devices drift into more risky configurations.
You’ll have better piece of mind if you have a way of knowing for certain that your instructions are being followed, rather than simply trusting that they are.
The best approach is to use a tool that can automatically report a device’s configuration and help or force employees to keep them securely set. The best of these tools should give you good insight into how employee devices are configured and where they deviate from the policies you’ve set for proper configuration. They should also aid in bringing employee devices in line with your desired configuration – either by guiding the employees to properly set their configuration, or by setting it for them.
The tools most commonly recommended today are MDM (Mobile Device Management) tools. However, MDM tools are a somewhat heavyweight solution and might be more than what is needed for a lot of smaller organizations.
There is an alternate approach that may be more suited to BYOD because it does not take control of the employee’s device. This new class of tools provides Mobile Device Auditing, which reports on current device configurations, but does not take complete control of the device. These tools may be a more lightweight approach to getting a handle on BYOD devices and may be more popular with your employees.
5. Communicate clearly with your employees
It is important that employees using BYOD are told clearly what type of monitoring and/or control of their devices is being employed. For example:
- What data is being monitored?
- What settings may be automatically modified?
- How will information about their devices be used by the company?
- What is the data retention period?
If you are auditing or controlling employee devices in any way, you will likely need to have a written agreement that clearly spells out what information you are able to view or modify on their device.
It is also important that employees are aware of what their responsibilities are. For example:
- Keeping the device’s security configured
- Immediately reporting any suspicious activity
- Immediately reporting if the device is lost or a data breach is suspected
- Ensure that any agent used for company auditing is kept in working order
6. Be sure whatever tools you use do not compromise the privacy of the user’s device
Remember that BYOD devices, even though they are used for accessing your business’s data, still belong to the employee. It is important to strike a balance that meets the needs of both parties. You need a way of being reassured that the device is configured and used in a secure way that reduces the risk of loss of your company’s information. They need to be able to use the device for their personal use in any way that doesn’t directly compromise the security of business data.
Employees will be much happier if they know that their employer does not have access to information and content that they don’t have a valid need to access. This might include GPS locations, contents of personal communications i.e., text messages or email on a non-business account, etc.
Note that most MDM systems will take control of the device. In order for them to know the current configuration state, they push changes to the device to set the configuration as dictated by the security policy. This may result in pushback from employees who are willing to let employers monitor the basic configuration settings but do not want modifications to be forced on their device. If you are at all concerned about this, look into using a Mobile Device Auditing tool rather than a traditional MDM system.
7. Have a plan for how to handle any data breach
The best approach to reducing the risk of data loss is to realize that you are looking to reduce risk, not eliminate it entirely. It would be cost prohibitive, not to mention impossible, to completely eliminate the risk of any data breach whatsoever. The tips above are structured around identifying where risk is the greatest and putting the most effort towards those areas with the most risk.
Since your risk is reduced and not entirely eliminated, you do need to be prepared for what to do if there ever is a data breach. Think about who should be notified, what immediate configuration changes should be made to effected systems, what forensic activities you might be able to take, etc. Create a written plan so you can follow your plan effectively during what might be a stressful time.
But the stress should not be too overwhelming, because by following the rest of these tips you’ve reduced the risk of the most costly situations as much as possible.
8. Audit regularly
It is important that all of the actions outlined in the tips above be revisited regularly over time. Your IT systems are sure to change over time and it is important to keep your processes and tools up-to-date with the current state of your business information systems.
9. Plan for eventually having to prove compliance with your policies
You may already be doing this for your traditional server and desktop endpoints. You may be required to report to an outside authority on compliance with a regulation such as HIPAA, PCI, Sarbanes Oxley, etc. You may also need to report internally to your own company’s auditors that want to ensure a certain level of diligence around IT security.
This activity will inevitably extend to cover mobile devices the way it is currently used for traditional systems. It is only a matter of time before regulations are extended to insist on controls over access to your network from mobile devices. If you are already diligently following procedures such as the ones given in these tips, you will be well prepared for dealing with this eventuality.
10. Enjoy a happier workforce and greater piece of mind for your efforts
Putting in place the types of procedures mentioned here will require planning, effort, and resource expenditure. But take solace in knowing that it will all pay off. Your company’s executives will be happy that you have systematically reduced the risk of damaging data loss, and your employees will be thrilled that you are working with them to be as productive as possible rather than having them feel that you are an impediment to their success.
Appendix: Top configuration settings to reduce risk
There are a number of resources on how to securely configure mobile devices. Here are a few for the Android:
There are a number of organizations that publish expert recommendations on how to configure systems securely. Traditionally these recommendations have been about the configuration of server and desktop systems. It is expected that in the near future they will be publishing recommendations on secure configurations for mobile devices. These are some resources to keep an eye on:
- CIS (Center for Internet Security): http://www.cisecurity.org/
- NIST (National Institute of Standards): http://csrc.nist.gov/groups/SMA/fisma/index.html
- COBIT: http://www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx
- PCI (Payment Card Industry standards): https://www.pcisecuritystandards.org/
- ISO (International Organization for Standardization): http://www.iso.org/iso/catalogue_detail?csnumber=42103
Until the security experts begin publishing detailed configuration specifications, the following short list would be a good starting point of things to check for on BYOD devices:
1. Ensure devices have a screen lock set
If you do nothing else, be certain that any device used by an employee for access to business data has a screen lock of some sort set. Devices are easily lost and without a screen lock, anyone who finds it will have open access to everything on it.
Platforms like Android offer various different kinds of screen locks. If there is a biometric lock, such as a fingerprint swipe, then that is the best option (but be aware that the face recognition in Ice Cream Sandwich has some vulnerabilities). A PIN lock is best after that, using four digits or more. And a swipe pattern is better than nothing, but be aware of the smudge problem.
Also be sure to set the screen lock timeout to a low number so the lock will engage shortly after the screen is turned off.
2. Do not allow rooted devices
Any device that is rooted is vulnerable in many ways. These devices should not be allowed for use as a BYOD.
3. Ensure that all apps are kept up to date
Just as in the traditional desktop world, security holes are discovered all the time in various applications and most vendors are diligent about patching holes as soon as they are discovered. Any apps that are installed on the device should be kept up-to-date with the latest version.
4. Don’t allow non-market apps
On iOS devices there is no way to install non-market apps and all the apps are carefully analyzed by Apple. But some Android devices allow installing apps that do not come directly from the Android Market, i.e., by attaching the device to a debugger using a USB tether you can install apps on Android flavors. Even though Google does not analyze apps in the Android Market nearly as thoroughly as Apple, it still keeps a lookout for problem apps and will remove those it finds to be malicious. Sticking to the official market is better than taking apps from any source.
5. Insist that credentials are not stored in clear-text
A mobile device is the perfect PIM (Personal Information Management) environment because of its portability. That makes it the obvious place to store all of your various login credentials for the various websites and systems you regularly access. Should the device be compromised, this would obviously be particularly sensitive information. Be sure to use an application like OI Safe that stores data in an encrypted form.
6. Don’t allow Wi-Fi connections other than to your own network
Open Wi-Fi networks can be vulnerable to sniffing, as well as other attacks. In general it’s best not to use open Wi-Fi networks. Ideally, devices should only be using the company Wi-Fi network for business access.
7. Disable development features
On an Android device, development features such as USB debugging and mock locations should be off to prevent tampering.