Management, compliance & auditing

Bringing Down Security Risks With A BYOD Encryption Policy

Dan Virgillito
August 4, 2014 by
Dan Virgillito

The number of employees using their personal devices for work-related purposes is absurd. Let's just say there's an employee or two in every organization using personal devices at work, and be done with it.

Maybe that's true… maybe it isn't. The point is – and most of us know it – enterprises are embracing the BYOD (bring-your-own-device) trend at a staggering pace.

By 2017, half of employers will require employees to bring their own devices for work-related purposes, according to Gartner. The report further highlights that BYOD is happening in governments and organizations of all sizes, but is most prevalent in larger and midsize companies. Its adoption is also allowing smaller businesses to go mobile without large service and device investments.

Another study by Grand View Research finds the growing proliferation of tablets and smartphones is expected to fuel the BYOD market, which is expected to reach $238.39 billion by 2020. Reduced device and hardware cost along with the adoption of cloud services are expected to have a positive impact on BYOD implementation. The study also noted that BYOD can drive small business towards improved profitability and job satisfaction.

The motivation behind the adoption is simple: it's becoming impractical to prohibit personal devices and more practical to use them at the workplace. Embracing BYOD policies isn't daunting to configure but results in measurable benefits.

But at the same time, BYOD faces a fair amount of criticism, with lax security at the forefront of concerns. ZDNet says security is the most common reason for businesses for avoiding BYOD at the office.

The moving of corporate data across different networks and devices increases security risks to the enterprise network and opens sensitive doorways. This is because BYOD devices are beyond the reach of internal tech departments, and the risks are compounded by the growth in 'unencrypted data' on employee devices.

Enterprises make sure that their networks are encrypted and corporate data is prevented from getting into wrong hands. However, the multitude of employee devices and different operating systems fragment the encryption ecosystem and make centralized control a hassle.

That makes it difficult for internal departments to protect corporate data. The device belongs to the employee, so it is difficult to enforce a specific behavior. This is problematic, as employees may store sensitive company data on devices that may or may not have proper encryption mechanisms in place.

BYOD encryption challenges

The main argument is that there's data in transit (the data being transferred from the corporate network to mobile devices) and data at rest (the data stored after an employee downloads a corporate file), and both need encryption. The problem is that organizations, managers, employees, and even IT assume they are the same.

The opposite is true: you can encrypt the data traversing the Internet from and to your corporate network, but when the data lands on an employee device, it can be unencrypted. Also, most organizations can't track data effectively and hope their employees follow best practices.

This means there is no effective way of measuring the risk exposure from downloading of data, which could land on an unencrypted device. Often, though, IT professionals have no issues with the idea of leaving sensitive company information on smartphones, laptops and other devices protected only with a password.

No doubt, protecting personal devices with strong passwords indeed makes it difficult for someone to gain unauthorized and steal data, but if the device-level password is somehow compromised, there is no second level of security, so a hacker can easily get in to steal corporate data and gain unauthorized access to the company network.

Instances of data loss & penalties

The confluence of laptops, mobile devices and tablets being widely adopted across different industries and security breaches involving unencrypted devices has resulted in several examples about BYOD-related data loss and penalties. What follows are the organizations that had to suffer negative reputation, regulatory compliance backlash, and financial loss because of employee device encryption negligence in the workplace.

Horizon Blue Cross Blue Shield

Last year, two unencrypted laptops that were cable-locked to staff workstations at the insurer Horizon Blue Cross Blue Shield of New Jersey headquarters were stolen, resulting in a security breach that potentially affected 840,000 people.

The organization failed to encrypt protected health information and found it difficult to convince regulatory authorities that it was appropriate and reasonable not to encrypt data. The HIPAA Omnibus Rule states that penalties for such non-compliance can go up to $1.5 million for each violation.

Coca Cola

Earlier in the year, the breach of unencrypted laptops at Coca-Cola affected 74,000 former and current employees. The WSJ revealed that data like financial compensation, addresses, social security numbers and ethnicity of the individuals was also compromised.

This breach raised questions such as why the sensitivity level of such information was beyond the enterprise firewall, and why it wasn't encrypted. Coco-Cola said the company's policy is to encrypt all laptops, but the stolen laptops were not protected. In a memo addressed to the employees, the company didn't explain why the compromised laptops didn't undergo the company's strict encryption policy.

It may be that the laptops had a VPN connection and the data was inadvertently saved unencrypted to the local drives, but the fact remains that the BYOD encryption policy failed in this instance.

What needs to be done?

The security breach incidents highlight the vulnerability of unencrypted laptops and other devices brought in the workplace and serve as a reminder of the significant risks they pose to the security of customer information.

According to Ken Hess in ZDNet's security trend watch, encryption provides one of the most robust defenses against security breach incidents between different networks. He reports that it's the most widely deployed risk control measure, and a direct response to the primary concern of IT professionals and organizations joining the BYOD bandwagon: data loss resulting from unauthorized access to data.

Encryption, he writes, is to ensure the safety of all mobile devices (those beyond BYOD too) and is a major step in the right direction – but only if implemented correctly. This implies that proactive encryption measures are required in organizations that enable employees to use the same device for non-work and work-related purposes to remove business risk.

No matter what physical safeguards are in place to protect the devices tied to workstations, there will always be risks, whether those are insider threats, or people who have access to locked facilities. As a result, there is no substitute for encryption and other similar data loss protection technologies that make sure the data is kept at a central location and is rendered useless when an unauthorized individual tries to access it.

Companies also need to address the concern that how to control, protect and secure data after it is downloaded and processed by an employee device. Whether the need is driven by concerns to meet compliance requirements for data encryption, safeguarding corporate data, maintaining residency of corporate data, or navigating the ambiguity of legal data protections in the workplace, these organizations need to take measures to retain ownership and control of their data when it resides on personal employee devices.

To ensure protection, organizations need to implement encryption for the entire duration of the data lifecycle (in-transit and at-rest). And to prevent unauthorized access and maintain the encryption in case of a security breach, the IT department of the concerned organization should take control of encryption keys.

Therefore, an organization never has access to sensitive customer information in an unencrypted form, and an organization's corporate data remains unreadable if an adversary tries to gain unauthorized access – or even if the organization receives a government request to disclose data.

Even if a company's policy does not allow employees to store sensitive information on personal devices, encryption is still important. The applications used on mobiles, laptops and tablets to access the company network often cache corporate data to improve the application's response time. Unless encrypted, the data could be potentially exposed if a device is stolen or compromised.

Conclusion

BYOD encryption policy is still in its early phase, but is quickly becoming a necessity. Building a comprehensive strategy, in the coming years, will be more about than just selecting an Enterprise Mobility Manage or a Mobile Device Management solution – organizations should gear up to provide a scalable encryption framework using tools and software that encourage agility.

Mobile devices should be allowed, with the goal of encrypting as well as limiting the presence of data at rest, so that the sensitive data is persistent to the central network and company servers instead of a device.

Expect organizations that combine strict encryption protocols with BYOD security training for their employees and adoption of trusted operating systems that allow information with multiple classification levels to be stored on devices to gain a competitive edge in their industries, especially when it comes to avoiding data loss and the regulatory fines associated with security breaches.

References

  1. http://www.gartner.com/newsroom/id/2466615
  2. http://www.grandviewresearch.com/press-release/global-bring-your-own-device
  3. http://www.zdnet.com/byod-grows-but-disagreement-remains-over-who-should-take-the-blame-for-security-lapses-7000017383/
  4. http://aishealth.com/archive/nblu1213-04
  5. http://online.wsj.com/news/articles/SB10001424052702303277704579345101243603912
  6. http://www.zdnet.com/the-top-five-trends-in-mobile-and-byod-security-7000014226/
  7. http://www.sans.org/reading-room/whitepapers/analyst/regulations-standards-encryption-applies-34675
  8. https://www.pkware.com/Blog/2014/05/22/locked-in-keeping-your-enterprise-encryption-keys-in-order
Dan Virgillito
Dan Virgillito

Dan Virgillito is a blogger and content strategist with experience in cyber security, social media and tech news.