It appears easy enough from a distance. Provide access to corporate data to employees so they can work from anywhere using whatever devices they have at hand.
In reality, Bring Your Own Device (BYOD) is a complex undertaking fraught with cybersecurity risks.
From leaky mobile apps to tricky phishing emails to well-crafted social engineering messages, there are various ways in which mobile devices can be attacked to siphon off data.
Symantec’s latest Internet Security Threat Report (ISTR) found that mobile malware attacks have increased by 33% compared to 2017 and that one of the biggest threats to mobile cybersecurity remains high-risk apps. In fact, the report found that one in every 36 mobile devices had a high-risk app installed, posing a significant challenge for IT departments.
Apps are so easy to download and use that IT security does not have the visibility across the network to know what is being used and on which endpoints, observes Gordon Love, vice president of Symantec EMEA Emerging Region.
Similarly, it is too hard to keep up with the number of current apps as well as old, vulnerable versions. “Without visibility, teams can’t take corrective action to contain risk. IT needs a way to stop unapproved apps from being used. And even when IT has finally gathered all this information, addressing new apps or exceptions to the rules is a long, manual process,” Love adds.
MDM
At the most fundamental level, organisations pursuing a BYOD strategy should have a Mobile Device Management (MDM) platform in place.
A proper MDM platform is a holistic enterprise mobility management where businesses spend less time and effort to manage and secure traditional and mobile endpoints. It also includes a mechanism to keep all keystones together – Productivity, Privacy, Security and Compliance, says Harish Chib, vice president, Middle East & Africa, Sophos.
Products such as Symantec’s Mobile Device Security (MDS) service applies policy controls regardless of the device used or where it is located, either on or off the corporate network, and does so with the low-touch benefit of a cloud service.
Unlike device-level solutions that simply block entire applications on personal devices, the Symantec’s MDS service allows users to enable mobile devices by applying application and operational controls across both native mobile and mobile browser applications says Love.
Symantec Endpoint Protection’s (SEPs) mobile service, an MDM solution to protect mobile endpoints from malware, malicious networks, zero-day threats, and many other vulnerabilities, helps organisations protect both BYOD and corporate-owned devices.
The second step is to have a corporate mobile security policy in place.
Chib says organisations must implement security policies that incorporate both IT requirements and user requirements.
As relates to IT requirements, organisations must ensure that devices have the latest operating system installed; all devices must store all user-saved passwords in an encrypted password store; ensure a secure password on the devices that complies with the company password policy; and, only accept devices managed by IT to be connected to the internal corporate network.
For users, security teams need to make sure that the former only load data essential to their job onto their mobile device; all lost or stolen devices must be reported to the company immediately; devices must not be connected to a PC without up-to-date and enabled anti-malware protection or which does not comply with corporate policy; users must not use corporate work stations to back up or synchronise device content such as media files, unless such content is required for legitimate business purposes; and, devices must be kept up to date with manufacturer or network provided patches. As a minimum, patches should be checked weekly and applied at least once a month.
Best practices
Separating personal from corporate data is a continuous struggle for BYOD-friendly organisations.
Chib says the first and best defence is to secure your personal device with the same requirements you apply to devices that are already on your network by enforcing strong passcodes on all devices and the use of mobile device management (MDM) to wipe sensitive data when devices are lost or stolen. At the application level, encrypting the data stored on the device provides a second level of security a hacker must get through in order to steal your data, he adds.
“You should encourage users to think of the extra layers of security as helpful tools that give them the ability to use their own devices within the workplace. By password protecting devices, a user acknowledges accountability and responsibility for protecting their data, says Chib.
“Whatever decision you make for your BYOD policy, be sure that it’s enforceable and enables IT to deploy software remotely,” he adds.
A BYOD policy should ideally be as part of the overall cybersecurity strategy.
A mobile security policy should be viewed through the lens of the company’s overall cybersecurity strategy, says Haider Pasha, Regional chief security officer, emerging markets, Palo Alto Networks.
“Understanding the company’s position around cybersecurity culture, governance, policies and employee awareness is critical. You then have to map your processes such as access management, protective monitoring and apply the ‘Zero Trust’ concept as best as you can. As you build on these basics, you can roll out BYOD in phases across your organisation,” says Pasha.
A company’s security and BYOD can co-exist, Chib says, but with planning.
That plan must start with identifying the risk elements that BYOD introduces, decide how to enforce policies for devices connecting to your network and periodically reassess solutions, he adds.
The BYOD security policy should be complementary to the overall corporate cybersecurity strategy and should be firmly embedded in the strategy as if forms one of the most important pillars of cybersecurity in the company, says Symantec’s Love.
“Many studies show that the amount of information accessed by employees and processed on mobile devices often exceeds that performed on traditional devices today. With more and more interactions taking place on mobile devices today, organisations are increasingly turning to Mobile Threat Defence (MTD), and expecting those solutions to provide comprehensive security across all activities, including browsing the Internet and using business apps to get work done,” Love says.
Awareness
One of the biggest challenges for IT leaders is making sure that their users—and business leaders—fully understand the implications of faulty mobile security practices. “Many users are quite savvy about accessing data and applications using mobile devices. But that doesn’t mean they’re using smart security practices. Preventing risks requires addressing negligence, for that’s where things start going wrong” Chib says.
Education and awareness are key, says Chib. “First, educate users on mobile security risks and ask them to exercise caution and ensure responsible mobile usage. A lot of users are often found missing out on even most basic tips like using stronger passwords. Secondly, users should be careful while accessing corporate data from free over-the-air networks such as public Wi-Fi. This runs the risk of exposing company data to malicious users sniffing the wireless traffic on the same access point. It is hence advisable to enforce acceptable mobile usage policies, like providing VPN technology, which requires that users connect through these secure tunnels.
“IT teams are trying to get users and management to put in place essential steps to secure their mobile devices. For many organisations, overcoming mobile security challenges is a full-time task, with a host of operational issues,” Sophos’ Chib cautions.
BYOD main focus should be on cybersecurity hygiene, says Pasha. “Unless your employees and anyone accessing your network lack awareness around the potential threats they could face when using their own device, you cannot expect to have a solid BYOD rollout,” he adds.
Employee awareness should include everybody in the organisation – from the Board through the C-suite all the way down to interns, says Pasha. “An organisation should look at how security is viewed by the people who don’t generally carry the cybersecurity badge. Everybody should be aware of the organisation’s cybersecurity policies and initiatives,” he adds.
In the Middle East, the focus on BYOD security has generally slanted towards technology, says Pasha. “If somebody comes to them and says, “OK we’re going to deploy BYOD because the CEO wants to use his new iPad”, the knee-jerk reaction is usually to go to a vendor and buy whichever security fix they think is required. What they fail to do is to take a step back and question whether they should be implementing BYOD. They should ask why they are implementing it and who in the organisation it will affect,” Pasha cautions.
It’ is important for organisations to take a step back and look at how they secure the network from an overall policy perspective, and also to look at how any new BYOD policy might affect the rest of the security policies that have already been implemented. “If BYOD is not properly deployed, if there are gaps or the policies are not as stringent as they should be, then it creates a significant threat factor in your organisation,” warns Palo Alto’s Pasha.
Regulations
Regulations such as the much-discussed GDPR will have a positive knock-on on mobile security effect and also be emulated in other jurisdictions, Love reckons. “As the region is a hub for international companies that operate in Europe and in other ‘soon-to-be-regulated’ geographies, it definitely makes sense to find universally applicable, GDPR-capable MDM and Mobile Application Management (MAM) solutions,” Love adds.
Regulations such as GDPR helps organisations with guidelines to secure and audit their security posture. It ensures any gaps are filled before any full BYOD rollouts, says Pasha.
Businesses that have embraced BYOD have generally empowered a more productive workforce. A mixture of the right technology and mobile security best practices have proven to be an effective barrier to data loss and malware.
