Mobile is all the rage these days. Penetration in the United States sits at almost 80% for smartphones, and tablets are just north of 50%. This prevalence is spilling over into the workplace, with more and more employees using mobile devices for work. Employers have embraced the trend, with the majority of employers (59%) having to Bring Your Own Device plans (BYOD), and 87% of employers expecting employees to access business apps on personal devices.
BYOD offers various advantages for the company, such as lowered hardware costs and greater employee productivity. Unfortunately, with BYOD programs, IT security ringfencing is complicated by the wide variety of possible personal devices, the poor computing habits of employees, and the general lack of control IT departments face when balancing business security and employee freedom on their own devices.
Data Flows and Local Ringfencing
Company-issued devices provide a secure connection to your internal network. IT departments can restrict installations and which networks are accessible. However, having two devices is a hassle, and many employees want to combine their personal and professional devices. For companies planning on embracing BYOD, it is important to keep confidential data from leaving secured applications.
On-device solutions exist to ensure that confidential data does not end up on personal cloud accounts, either intentionally or by accident. Enterprise Mobility Management (EMM) or Mobile Device Management (MDM) are labeled for these solutions, and it allows applications to be deployed across systems, assigning different privileges for different devices. These solutions also enable remote locking or wiping of devices. Employees may object to this ability by the corporation, but one unhappy employee (possibly forced to use a corporate-issued device) is certainly preferable to a massive data leak.
Another important layer of security for remote workers is the VPN. Mobile workers might be connecting to your network via public hotspots, and those hotspots may be compromised. If everything is through an encrypted VPN (or at least HTTPS), then the only information attackers will get a jumbled mess of encrypted data.
Another layer of security, which can mesh well with VPNs, is two-factor authentication. A physical token generator will ensure transactions, and authentications will not take place without both the mobile device and the generator being stolen – this reduces the effort required to vigilantly monitor traffic from any device to sniff out irregular usage patterns. If there’s no second authentication, there’s no security risk. And stealing two physical devices is harder than stealing one.
Encryption is so important it deserves its section. Both network traffic and devices should be encrypted. As mentioned above, network traffic can be encrypted through VPNs and HTTPS adherence.
Devices that store data should also be encrypted. Laptops that store any sensitive information in the cache should utilize full-disk encryption, as this works at the operating-system level. Using only file-level encryption opens the device to various attack vectors, including via temporary files before their removal. Unencrypted data in memory is impossible to avoid, but once a device is powered down, anything in memory is erased.
If employees are using their own devices, it is not a bad idea to encrypt their data anyway. It should not be a difficult sell to bring employees onboard with encrypting devices, and especially ones that interact with sensitive data, both corporate and personal.
Use current hardware and software
Software constantly receives updates to improve its security. If employees neglect to update their software, security holes will remain vulnerable. And if the software is being updated to patch a specific security issue, the issue will be publicly known. Once the patch is published, the security hole becomes public knowledge (since the patch has a specific purpose). Equifax failed to update its software, even after the security exploit was publicly known. Consequently, Equifax leaked millions of datapoints of susceptible information.
Hardware is much harder to patch, and it may be impossible to do so. Hardware security holes are rarer, but they do exist. Often the hardware issue is based on firmware issues, which can be patched, but they require more technical expertise that your employees may not have. Furthermore, newer hardware may automatically implement modern security features, like self-encrypting disks and Secure Boot to prevent malware loading at boot time. These kinds of security procedures should become commonplace as time progresses, and they will help defend your computer systems from attack without any participation on the part of employees — if they have the newer hardware. Therefore, companies should be replacing older hardware judiciously.
Encourage Secure Computing Habits
Maintaining a strong IT team and putting robust security policies in place is essential to ensuring your company does not fall victim to cyber attackers. But the most likely vector for a data leak is a zero-day exploit that finds its way onto your employee’s device. With BYOD, IT teams have to contend with every whimsical download of the latest variation of a popular app.
Employees should be apprised of mobile security tips, and they should be using general security practices whenever they use devices – it will not only protect the company, but it will protect their own, personal data, too. A training session demonstrating the importance of the company and personal data can be used to drive the point home. Showing employees that risking the device’s security risks both private and corporate data is more likely to result in better security practices than merely intimidating employees with the consequences of a corporate data leak.
In that training session, it is good to all inform employees of common threats, like malvertising and evil-twin WiFi hotspots. Then explain how some of the solutions solve these problems: MDM can help guard against malvertising and drive-by malware downloads, and VPNs and encryption can protect against compromised hotspots.
Enterprise mobile security, especially under BYOD, does not exist in a vacuum. It requires active and vigilant security measures be taken by both employer and employee, and the best way to achieve the highest possible security is to implement best practices for both IT deployment and personal computing safety. Protecting data is of paramount importance in the age of computing, as we continue to live more of our personal and professional lives online.