BYOD. Sounds like something you’d see scrawled on an invitation to a party. Actually, if you attend the parties I do, “Bring Your Own Device” would be accurate. Nowadays, everyone sits around and scrolls on their devices. If someone does BYOB they’re sipping it as they scroll through their device.
But what happens, though, when BYOD seeps into the workplace? Is there anything a managed services provider can do to police usage and keep security in check?
We know that legions of employees have their devices floating around in their pockets. A much-cited report from Microsoft in 2012 showed that 67 percent of people took personal devices to work, a percentage which has certainly grown. Just within the past few weeks I’ve seen a receptionist a at a hospital ER surfing Pinterest on her smartphone as I was filling out paperwork and a cop on traffic duty tapping away on his phone. The receptionist could probably be forgiven, it was 2 a.m. and there was no one else there. The police officer, well, there were no cars around except mine and perhaps it was a city-owned device and he was tapping an urgent message. Best not to draw conclusions without information.
As a practical matter, there’s little an MSP can do to keep someone from bringing a mobile device into the office. That, however, is where a role begins for an MSP and an employer, preferably working in concert.
“One important thing to consider is the type of data being transferred to the employee’s device. If the device is lost or stolen and data it contains is not protected, then the endpoint because a threat to the company,” says Cedric Jeannot, founder and CEO of Waterloo, Ontario-based APrivacy, which develops secure customer engagement platforms with financial institutions.
One of the best solutions, Jeannot tells SmarterMSP, is to adopt a data-centric security strategy where the data itself is secured and encrypted.
“With this strategy, the security of the data is independent of the application, device or channel over which it is being shared,” Jeannot says. In that way, wherever the data travels the security travels with it.
“With data-centric security, information shared across private devices can only be accessed by authorized users, thus limiting the risk to the company,” Jeannot says.
SmarterMSP caught up with Pierluigi Paganini, chief security office for Naples, Italy based MSP and cybersecurity specialists, Cybsec Enterprise SpA.
Pagnanini says there are a range of risks that bringing in so many external devices to a workplace can create, but that companies and MSPs have tools to mitigate them. One of the first is education.
“Mobile devices of course enlarge the surface of attack of any organization, for this reason it is important to educate users about mobile threats,” Paganini says.
He said organizations need to have the following in place:
- A defined BYOD policy
- Set guidelines on how mobile devices can be used on or off premises
- Enforced data encryption
- Enforced use of passwords (users need to be educated on how to choose strong and effective passwords)
- Use mobile-specific anti-virus and anti-malware programs
- Keep software and applications up-to-date
Without a clear protocol and precautions Paganini says that an employee could unwittingly “ open the doors to attackers who could then exfiltrate sensitive data from the user, including company information.” Access could also be used for surveillance on specific individuals within the company or even use the mobile device as an entry point in a target network and then the bad actor could move laterally, compromising other systems in the network.
Other suggestions Panganini offers for MSPS and corporations to tighten BYOD security include:
- Set expectations for the introduction of a BYOD policy. Company management must define a set of targets that they intend to achieve with the introduction of the policy, as usual calibrating the effort needed with the expected results.
- Review any security policy related to mobile devices. A useful exercise for the company is to identify the best practices suggested by other standards and regulations with which the company is compliant.
- Take a census of all mobile devices among the staff, determining which ones will meet the security requirements of the company. The company could decide, for example, to permit only specific use of mobile by personnel.
- Verify the integrity of each mobile device, confirming that they haven’t been jailbroken or rooted by employee.
- Define and make mandatory a set of security mechanisms for mobile devices (e.g., authentication processes, data encryption).
- Review security policies for web services, remote access through mobile devices, and VPN use.
- Determine which applications can be installed and used by employees.
- Define which data can be accessed from outside.
- As mobile devices become conduits for information to flow, look for apps that include auditability, reporting, and centralized management. Many current apps don’t meet these requirements.
- Periodically review policies and audit mobile devices and installed applications.
- Provide training to employees on the proper use of mobile devices and the way they access internal network and data.
- Improve risk management process and instruct employees on possible threat and related risks for mobile.
The upside of BYOD?
Still – the productivity drain of Pinterest and Facebook aside – there can be upsides to devices in the workplace according to Shambhu Upadhyaya, a professor in the University of Buffalo’s engineering and computer science department and director of the school’s Center of Excellence in Information Systems Assurance Research and Education.
“Small scale companies and nongovernmental entities may favor this because these devices are very useful as computer resources. Managing them is not a big issue if the numbers are not too big. Just have some good policy on usage and enforce the policies,” he says.
Employees at larger companies or more data sensitive workplaces are better off with company supplied devices that are better managed or simply don’t allow them at workplace to begin with. “Physical isolation of these devices is the best security solution,” Upadhyaya says.
But, that’s not often practical or feasible and, BYOD doesn’t have to be a bad thing.
“In theory, BYOD is not a danger if enforceable security policies are developed. In fact they are convenient products in today’s work environment. It can increase productivity because they are ubiquitous and employees can respond faster,” Upadhyaya adds. So, for MSPs, education and encryption are key.
Photo: Georgejmclittle / Shutterstock.