Managing the BYOD risk
As the Internet of things gathers steam, new technologies could greatly enhance a company's workforce.
What began as a trickle of smartphones and tablets has turned into a flood of devices, applications and even wearables drowning the enterprise. While the 'bring your own' (BYO) trend promised benefits of innovation, boosted productivity and a healthier work/life balance, it also brought increased complexity, and pressure on the CIO to manage and secure these devices, applications and data.
"There are multiple levels to think about," says Steve Schlarman, GRC strategist for RSA. "On the surface you have the obvious BYO risks such as employees introducing malware into the environment by devices infected outside of the company's control, or employees losing their devices that might contain sensitive data. In addition, data exfiltration becomes far easier with multiple devices, and IT has to field support calls on technology they don't support."
Below that surface are risks that need to be examined based on the company's own risk tolerance. "For example, many manufacturing companies restrict usage of photography in certain facilities. You can't buy a phone today without a camera. What happens when the precedence is set for BYO and technology like Google Glass becomes mainstream?" asks Schlarman. "As more and more devices become IP-enabled, a company could be faced with devices they never thought about in the early days of BYO."
As the Internet of things (IOT) gathers steam, Schlarman says there will be technologies that could greatly enhance a company's workforce. "Think about a worker in a distribution centre, using Google Glass that directs the work without having to lug around a clipboard or tablet even. So certain technologies will be welcome but with all technologies, there will be risks involved. Part of this risk is setting a precedent now with known technologies that cascades into future risks introduced by the unknown technology."
Riaan Badenhorst, MD for Kaspersky Lab, Africa, says according to recent B2B International research, 75% of companies in SA view the BYO environment as a growing threat. "The idea of BYOD is certainly a good one and receiving some attention from local companies due to its benefits. "However, companies shouldn't forget that the rapid development of mobile devices and operating systems has also attracted the attention of cyber criminals."
In fact, in Q1 2014, Kaspersky Lab's collection noted 110 324 new malicious programes for mobile devices. "More often than not, companies haven't implemented the right security solutions to protect their BYOD implementation from malware and cyber criminals. Based on this, the concept of BYOD has become a real dilemma for some IT administrators, as they feel they're unable to foresee where new threats might come from and are thus concerned about how they go about protecting corporate networks that use BYOD."
The reality is that many employees keep confidential business data stored on their mobile devices. If these devices don't have the necessary protection, or security functions of remote wipe, if this information gets into the wrong hands should a device be lost or stolen, it can be catastrophic for a businesses, says Badenhorst.
There are technical aspects that can be addressed, says Schlarman. "Network segmentation, quarantine technologies, and similar need to be part of companies' infrastructure already. Companies have (mostly) dealt with architectures such as guest wireless networks and other segmentation technologies, such as firewalls. For BYO, these same controls need to apply and the company has to continue to invest time and technology in protecting the infrastructure. The devices themselves have to be protected to ensure data is protected. So mobile protection technologies needs to be evaluated and invested in as needed."
...whatever you do as a CISO, you can't harass the employees, you can't really change the way they want to access applications and data, and you can't disrupt their user experience...
Education and policy are important, adds Schlarman. "Users will generally always go the route of least resistance, so a draconian BYO policy will be skirted around. However, a company needs to be open and direct when it comes to restricting or allowing certain devices. That means staying on top of employee awareness, explaining the risks and why certain things are allowed or prohibited, etc."
One element that should be on the radar screen is third parties that may want to introduce devices. "Contractors using their own laptops is one thing; the vending machine company hooking snack machines on to the network to monitor inventory is another. Companies will have to deal with the proliferation of devices using the right technical and procedural controls," says Schlarman.
Badenhorst adds that companies also have to have effective mobile security and mobile device management (MDM) software, as it allows for monitoring, management, protection and maintenance of a broad range of mobile devices, whether under corporate or private ownership.
Uri Rivner, VP business development and cyber strategy at Biocatch, says, surprisingly, the number-one element in any BYO policy is convenience. "CISOs face a fundamental truth: traditional security concerns are now becoming secondary to the powerful business drivers of mobility and cloud that push the BYO revolution. Yes, it's more risky, but, hey, that's what we, the business, want. And whatever you do as a CISO, you can't harass the employees, you can't really change the way they want to access applications and data, and you can't disrupt their user experience, because usability and ease of use are extremely important. With this in mind, the CISO needs to build a BYO plan that allows the business to take more and more risk, add more and more functionality, while not pouring cumbersome security on the user."
As BYO is an emerging area, policy around it will likely be fluid for the next several years, says Schlarman. "So there needs to be an active team working on this problem. If the company decides to allow BYO, it needs to be a committed, intelligent, conscious decision to embrace an emerging technology trend. It will take a cross-discipline team to understand the pros and cons of the technology and then decide the best course of action. This isn't just an IT decision because it deals with technology; security, HR, the business operations, legal, risk and compliance functions all require seats at this table."
First published in the October 2014 issue of ITWeb Brainstorm magazine.