Meeting The Security Challenge of BYOD

Bring Your Own Device (BYOD) refers to a policy which oversees employees using company networks and data on their personal devices. IT staff are often wary of such policies, but management seem to like them as they allow for a more streamlined workflow and a reduction in the sizeable cost of buying and maintaining IT equipment. Letting employees’ personal phones, tablets and laptops loose within your corporate network doesn’t necessarily sound like a good idea, but that doesn’t mean you can avoid it, as Scott Gordon duly discovers.

Only 49% of UK organisations have installed formal BYOD policies. That’s according to SailPoint’s most recent market survey. Of course, this doesn’t mean that employees are not using company networks with their own devices. Rather, it simply means there’s no policy in place to manage and control that process.

Fears around BYOD are not unfounded. Phishing links, bad intentions and everything in-between reinforces the old cliché that humans are the weakest element of any organisation. It’s entirely understandable why an organisation would be afraid of allowing an employee’s device as well as its applications and data to access a corporate network. Still, if you want a secure organisation, they’re also a critical part of the solution.

Those fears are not doing anything to stop an increasingly mobile workforce. Neither is the fact that network perimeters are quickly moving out of view.

A draconian ban on personal devices will not halt their use any more than the ‘unhinged’ allowance of personal devices will deal with threats to your network. Both extremes are childish options for a modern company and should be flatly ignored. A sensible way between means both accepting the reality of personal devices in the enterprise environment and crafting strategies to enable this new functionality, while also shielding yourself from the threats it brings. It means putting a policy in place to handle this new reality.

What, then, do you need to think about when coming up with a BYOD policy?

Devising your policy

How you’re going to protect your critical data assets from mistakes, insiders and criminals is entirely dependent upon what those critical data assets are. Does the business design cars, for example? If so, you’ll need to be protecting Intellectual Property going in and out of your organisation.

Sales teams will want to protect client lists and healthcare bodies will need to keep all manner of healthcare records under lock and key.

Your first task should be to find out what your critical data assets are and decide on the most hygienic way to handle them on personal and corporate devices.

This matters for compliance, too. Your BYOD policy will have to be structured around the specific regulatory obligations of your industry. There’s one particular regulation which everyone must bear in mind. That’s the EU’s General Data Protection Regulation. In the run-up to enforcement of the GDPR on 25 May this year, some started to view BYOD policies with suspicion. A survey conducted last year by Strategy Analytics showed increasing fears around BYOD on the part of European businesses. In fact, 10% of those polled said they expected the use of BYOD enabled tablets to decrease with the advent of the GDPR.

Some might think that creating a structure for the use of home devices within an organisation opens it up to compromise when it comes to compliance. After all, what’s to stop anyone from loading up their personal laptop with all the personal data they can lay their hands on and making for the exit door? A good BYOD policy for one.

Security controls and policies

The GDPR demands that you actively take account for the personal data that you have and how it might it be threatened, before implementing security controls and policies “appropriate to the risk”.

Aside from the personal data that might be handled by employees, you also have to account for the personal data that might be accessed on their personal devices.

Attached to those demands are fines of up to 4% of global turnover, or 20 million Euros (whichever is the higher). Given those figures, BYOD is an issue which you can no longer ignore.

The good news is that there are a number of areas in which a sound BYOD policy can ease the path to GDPR compliance. This landmark piece of regulation includes requirements about access control and breach reporting as well as the protection of personal information. A BYOD policy will help in all these areas.

You’ll need to demonstrate your compliance to regulators, too, meaning that you will need to have documented policies, audits and reports that show you have an active BYOD policy.

Once you’ve thought through your compliance obligations, you’ll want to think about how you secure your network and data on personal devices. This process is known as Enterprise Mobility Management. For example, being able to remotely monitor and manage mobile sessions in the office or over secure SSL VPNs when users are out of the office is core to a secure BYOD policy. This matters for the everyday flow of data between personal devices and corporate networks just as much as it does for the actual physical mobility of those devices. Even in a world without hackers, users would still lose and damage their devices. It’s important, then, that critical data is still in your hands even when the device isn’t.

Encrypting corporate data

Organisations should encrypt corporate data and consider solutions that allow security specialists to reach into a lost device and remotely wipe it of sensitive data, keeping it out of the attackers’ hands even if it isn’t in yours. Remote wipe technology can be a point of contention, considering that you’re also dealing with the device owner’s data.

It’s also worth thinking about how this fits into your off-boarding processes. Similar solutions can make sure that leaving employees don’t also leave with critical data and, even more importantly, with access to corporate accounts. 

Even for current employees it might make sense to adopt a ‘Principle of Least Privilege’ as a guiding reference. This states, simply, that people must be given the fewest possible rights and privileges they need to do their job. If an employee doesn’t need access to a particular area or piece of data, then they shouldn’t have it.

The proliferation of admin rights on corporate networks is still a leading cause of data breaches, while privileged credentials – according to analyst firm Forrester – are misused in 80% of attacks. You will want to lock down access as a matter of priority.

Container security solutions can help you separate out your employees’ devices from their potentially hazardous personal data and apps. When using their device for company business, they can work inside a ‘corporate container’ which insulates both corporate and personal environments from risks to privacy and security.

Technological solutions like container security, SSL VPNs and network access controls are critical and can take a lot of the ‘danger potential’ out of your users’ hands. Still, humans will always be your first line of defence when it comes to security. They are where a good deal of your effort has to be focused. Staff must be rigorously educated on what they can and cannot do while using company networks, trained on proper on-boarding and off-boarding processes and updated on Best Practice for cyber hygiene.

Collaboration is the key

This process should ultimately be collaborative. Staff should be asked what they need, and how BYOD implementation would best fit them. Any security policy has to be tailored around those who are wearing it or, put simply, it will tear.

Users will have to be able to access the information and apps they need and easily reconfigure their devices such that they can work safely on a corporate network. If they cannot, they will find ways in which to breach your security.

Scott Gordon

Scott Gordon

Gartner has predicted that 20% of BYOD policies will fail due to over-complexity. To that end, low friction solutions are always the best choice when it comes to user-facing security. Solutions that accommodate users are less likely to be violated and more likely to result in a more secure network that operates in harmony with staff.

BYOD will introduce a variety of unknown quantities to a network, posing a challenge to anyone who’s trying to secure that network. Today’s workplace most certainly demands the kind of flexibility that BYOD brings. Ignoring that fact will not make it go away.

At the end of the day, a secure organisation rises to meet the challenges posed by BYOD instead of letting them fly overhead.

Scott Gordon CISSP is Chief Marketing Officer at Pulse Secure

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts