By Ryan Fahey of InfoSec Institute:
Bring Your Own Device, or BYOD, is a popular trend taking a firm hold in large and small businesses across the board. With good reason when one considers the elegant applications permitting users to access web-based intranets, e-mail and networks. This is not necessarily new technology; businesses have been assigning mobile devices to employees with similar applications for some time. However, the evolution of personal mobile devices is giving employees an opportunity to do their job to the best of their ability no matter their location, and at no cost to companies. There is a downside- personal mobile devices lacking the security measures previously enforced in company owned mobile devices.
Still, security risks to businesses are not a reason to dismiss the BYOD phenomenon, not considering the benefits and likelihood employees will press the issue. At the same time, companies should not turn a blind eye to possible security problems and simply welcome all personal mobile devices without taking precautions. The solution is implementing security measures to ensure the security of company networks, and data, while allowing employees to use their personal mobile devices. The following tips cover the measures companies can and should take to protect sensitive data, giving employees the freedom to work at peak efficiency and businesses peace of mind.
1. Identify Who Has Access to the Company Network and Data
Company security begins by knowing exactly who is accessing the business network and data. Although not directly related to BYOD, network security is dependent on companies realizing what vulnerabilities are open to attack from any outside source. For this reason, companies should look into access points such as e-mail service, individuals who should not have access like former employees, and access to the company network that does not require authentication. Knowing and taking steps to protect network vulnerabilities such as these decreases the risk to sensitive data and saves businesses costly losses.
2. Identify Remotely Accessible Data
Not all data is created equal, certain information kept by companies is more important than other information. This is why it is important to take the time and determine risk levels for your data and prioritize your security efforts accordingly. This will ensure high risk data is protected without wasting valuable company resources by heavily securing data that has a low risk level.
3. Mobile Device Configurations
Mobile devices present a unique threat to network security and a company’s sensitive data. This is largely because of the possibility of lost or stolen devices ending up in the wrong hands, not to mention electronic attacks and a variety of other vulnerabilities. This is not to say businesses should not allow the use of personal mobile devices, but that companies should take the necessary precautions. The first step toward that effort is to ensure mobile device settings are configured with network security in mind. The following tips offer suggestions on how to go about this with consideration for network security and employee privacy.
4. Security Tools
A critical factor in network access security is ensuring the safe configuration of mobile devices at all times. However, the expectation employees will diligently keep up with their device configurations amidst hectic schedules is perhaps unrealistic and problematic. The solution may lie in mobile device security tools. A Mobile Device Management, or MDM, system or Mobile Device Auditing system helps ensure mobile devices are secure and sensitive data is safe. Conversely, businesses may prefer the Mobile Device Auditing system as this security tool simply audits and reports device configurations whereas MDM systems control devices and force configuration settings. In the end, a Mobile Device Auditing system is enough to provide peace of mind to businesses.
5. Open Communication
Open communication with employees about how security measures, such as MDM tools, will affect their mobile devices is advisable. Discuss crucial information like what data companies will have access to, their intentions with that information and what settings security tools will change. In addition, establish employee responsibilities similar to reporting questionable activities, lost or stolen devices and possible data breaches. A written agreement outlining the same is also wise, ensuring employees understand the security measures, the effects on their mobile devices and their responsibilities.
6. Respect the Privacy of Mobile Devices
When establishing network access security measures, companies should keep in mind mobile devices and the personal information stored within is employee property. As such, the use of Mobile Device Management, or MDM, systems that change mobile device configurations is not always advisable – or acceptable to employees. Network access security is a priority, true, but there are alternatives such as Mobile Device Auditing tools. These less invasive security tools simply monitor mobile devices rather than take control, satisfying network access security needs and respecting company employees’ right to privacy.
7. Data Breach Planning
The risk of data loss is a point of concern for most businesses, the best stance against that risk a proactive one. This means actively identifying where the greatest risks are and focusing on those areas in order to reduce the risk and better protect sensitive data. The above tips provide a basic guideline as to how to go about this, but companies should not end their efforts there. The next step in a proactive stance is to develop a plan to ensure the company is prepared should a data breach ever occur. One should not hesitate to layout a detailed plan establishing who to contact, what measure to take to protect any systems breached, what step to follow to discover the culprit, how to lessen the impact and more. Preparation for the inevitable decreases the impact of the inevitable.
8. Regular Audits
Ideally IT systems change and grow with the company. This creates a need to audit and adjust network access security procedures on a regular basis to ensure they continue to fit the security needs of a business’s information system. For a deeper understanding of IT auditing, check out the CISA training course offered by InfoSec Institute.
9. Plan for Eventualities
A number of businesses report to outside authorities such as Sarbanes Oxley, HIPAA, PCI or even to internal auditors to ensure compliance with IT security regulations for desktop endpoints and traditional servers. Understanding this, the natural assumption is regulations will soon extend to cover access to company networks with mobile devices. This is, after all, the logical solution to the security risks mobile devices pose. Why wait? Businesses can take these tips as a guide to establish their own regulations, setting the standard and preparing for the inevitable.
10. Peace of Mind
Implementing procedures such as these is not easy. One must understand the expenditure of resources as well as the planning and effort involved. However, the hard work usually pays off. Company executives will rest easier knowing company data is protected, decreasing the loss of sensitive information and the consequential damaged caused. As for the employees, they will be free to do their jobs to the best of their ability. The peace of mind earned alone is well worth the effort.