BYOD is becoming a prevalent Information Security and IT Focus
Bring your own device (BYOD) has become increasingly more prevalent in businesses with over 71% of companies planning, tolerating or supporting its infiltration into normal corporate work practices, according to an infograph published by Matrix 42. According to the below infograph the most common devices being utilised by employees via BYOD for work are laptops, PDA’s, mobile devices, and tablet computers.The Matrix 42 infograph was developed after the company completed a survey of 600 enterprise IT professionals and was published via Visual.ly.
The question of mobile device management (MDM) by securing company information was revealed as imminently important, with over 78% of respondents identifying this as being an ‘extremely or very important part of their IT offerings in the next two years. The drivers behind this focus are potentially IT based given that over 31% of IT departments are driving the employment of BYOD’s within the corporate sector. The most common usages of the listed devices are corporate data access and e-mail usually in conjunction with application software.
Simon Loughran one of Certification Europe’s leading ISO 27001 - Information Security Management Systems auditors published a paper called ‘Security and Mobile Devices’ on this topic recently. The paper identified one of the largest risk associated with the usage of BYOD devices such as mobile devices is inherent with their portability and that is precisely the intended functionality. Advanced technological changes allow people to work outside the corporate networks on wireless and remote connectivity, which in turn facilitates easily accessible and shareable company information. This creates a new risk area for companies as it has moved outside of the established security perimeter that has been so meticulously developed. The solution is to develop subsequent selected security controls around the mobile devices and BYOD devices which are as stringent as those employed around company devices.
ISO 27001 (ISMS) and ISO 20000 IT Management provide the greatest security opportunities for a company and should be considered by all organisations who are rolling out a BYOD policy within their organisation. The following top ten tips for securing your mobile devices were developed by Simon via personal experience and from peer professional online research.
Top Ten tips for mobile security
1. Device Selection
Not all devices are created equal when it comes to security. For example, iPods are built for general consumers not as concerned by security and is therefore less inherently secure than a BlackBerry device designed for enterprise users.
The degree to which security controls can be implemented on mobile devices is highly dependent upon the vendor. Consider mobile devices that have the best possible control and security on them. Just because a senior manager likes the look of a particular device is not a good enough reason for its selection.
2. Enable Encryption
Many organizations do not enforce or even set policies mandating the use of device encryption on mobile devices. Encryption is one of the most common methods used to protect the information on the mobile device and should really be used without a second thought. It gives both you and the data owner a clear sense of security. Some vendors actively publish and push their security encryption methods and credentials with Blackberry being a prime example with lots of security hints and tips readily available.
Encryption for laptops is standard best practice so why not all mobile devices?
3. Require Authentication
Mobile devices require proper authentication as they are extremely susceptible to loss or theft. Most users have adopted some form of authentication on their laptops, even if it is only a password, which should now be applied to all mobile devices. A BIOS or start-up password for a laptop works on another level whilst still using encryption. If you can’t authenticate you cannot gain access therefore the encrypted data is further protected.
4. Utilize Remote Wipe Capabilities
Applications have been developed because of the proliferation of mobile devices and their inherent vulnerabilities that give people the ability to remotely access and disable devices in the event of loss or theft. Imagine how helpful the ability to wipe information remotely from a machine could be in such a stressful scenario as loss or theft especially considering the potential damage in the event of information leakage.
5. Incident Management
Organizations should examine developing a policy and procedure protocol for employees who have lost their devices which they have previously used to access company information. This is where ISO 27001 Incident Management becomes extremely effective. An established incident management process will make it easy for them to call the relevant people to alert staff that a device has been lost or stolen. However organisations should remember that it is only effective if you launch an awareness campaign for such an event.
6. Control Third-Party Apps
Smartphones/ Iphones offer increased risk to a company as they are essentially miniature computing platforms that can accept any nature of third-party applications. If you can limit the installation of unsigned third-party applications you can help to prevent the bad guys from requisitioning control of your devices. This is the basic premise of Trojans and how they attack your systems. Consider that there are many examples of Trojans being built into free apps and so called ‘cool’ games!
An interesting development in the app sector is that Google Apps have tackled this risk by becoming ISO 27001 certified recently, denoting the importance which they place on securing client information.
7. Network Access Controls
Enterprises should set up network access control mechanisms such as unique firewall policies, vlans, static routes etc. specifically to segregate traffic coming in from mobile devices. Mobile device users don’t necessarily need access to all of the data and areas on the network, so limit exposure by only offering access on a need to know basis.
8. Use Intrusion Prevention / Detection Software (IPS/IDS)
As Smartphones and mobile devices become more and more powerful, they’re likely to become another weapon in the hacker toolbox. As a result, it makes sense to have your intrusion prevention software examining traffic coming through mobile devices. After all if a standard user can install apps on an easy to hide portable device what’s to stop a hacker utilising such a device with a vast array of tools?
9. Anti Virus - AV
There are many host based anti-virus applications available for Smartphones and mobile devices but consideration must be given to how they interact within the enterprise and how they are going to be managed. A device connecting into the corporate LAN may have a requirement to authenticate its security control feature or access may be denied. Blackberry Enterprise Server (BES) utilises AV to control its devices and is way ahead of other Smartphones in the security stakes.
Bluetooth capabilities on today’s Smartphones and mobile devices may make it easy to talk on a hands- free headset, share information and interconnect devices, but they’re also a target for hackers, who can take advantage of its default always-on, always-discoverable settings. In order to limit exposure best practice is to recommend disabling Bluetooth when it is not actively transmitting information. You can also suggest switching Bluetooth devices to hidden mode. Organizations can limit exposure by making this company policy.