This is a follow on from last weeks article “To BYOD or Not to BYOD, that is the question – maybe”
First of all what is BYOD? Obviously we have run out of three letter abbreviations so we are rapidly moving on to four or more.
BYOD is simply Bring Your Own Device, this is anything you take in to work, namely Laptops Tablets and Smartphones and other electronic devices that can communicate with your infra structure.
You may not think that anyone brings in their own device but neary everone has a smartphone and some companies allow or even encourage employees to buy their own tablet or laptop and use them for work and play.
What are the risks? Is it an accident waiting to happen?
If you are diligent you will have a secure building, fire policy, alarms, CCTV, Firewalls on your router, secure network, signing in and out book, Health and Safety policy but anyone who comes in with a device is inside your “Fortress”, not outside trying to come in.
From an IT point of view we have complex passwords, firewalls, routing tables. These are to make sure that no one can access your data by hacking in, well clearly in many cases of the big banks and stores it fails but at least they try, so they wont get a £500,000 fine for breaking the data protection laws, how about your company.
You should have a BYOD policy to protect you and your company, its usually like wills, backups and intruder alarms, they all become important after the event.
Here is a list of the top eleven threats.
Risks Are Both Simple And Complex
Threats to the enterprise posed by an employee-owned mobile device can be as complex as a sophisticated malware attack designed to snoop on an employee’s browsing activity or as simple as a lost phone in a taxi. The threats are forcing security teams to introduce new policies to reduce the risk. Enforcing them without impacting productivity is a balancing act. Experts say the first step is to understand the perceived risks and weigh them against the company’s security posture.
11. Jailbreaking and rooted devices
Jailbreaking removes the limitations imposed by the device maker, often eliminating restrictions designed to improve security of the devices. Rooting gives the device owner administrator-level permissions, enabling them to install and run apps that could be potentially malicious in nature. Often the employee who demands the latest and best technology may also be technical enough to jailbreak or root their device. Easily available Tools have helped make this easier and now it can be done with a few mouse clicks.
10. The Greeks are inside!
That might have been the call in ancient Troy but its never heard, or anything like it in an office. Maybe it should be updated to “The Geeks”. Every device that comes into your premises is a potential threat. They may have cheap or free anti-virus which isn’t up to the standard you use. They may have undetected networking viruses or other malware which is just itching to jump into your network and spread its deadly disease throughout. Cryptolocker, the ransomeware data encrypter, comes in through an e-mail and spreads all over a network making data useless unless a ransom is paid and usually when discovered it’s too late. The key is vigilance and preparation
9. Restrictions can be broken
Employees can find and use a workaround to tie into company resources. Restricting devices from accessing the network might make you feel safe but certain mobile apps can enable access controls or at the very least enable the device to access company e-mail, calendar items and contacts
8. Vulnerability
There is a risk that can expose company data by failing to update the software and these are usually just to improve security. A further complication is the update method for some devices. Apple pushes out software updates to all iPhone users, but Android devices make the user, carrier and manufacturer responsible for updates, which can leave known vulnerabilities available for quite some time. In addition, you have no control over the quality of apps so there could be software errors in third-party applications running on the device
7. Wireless networking
Most devices are configured to find and try to connect to any wireless networking signal to access the Internet. While most businesses provide secure access points for guests, open wireless points can put device owners at risk of man-in-the-middle attacks and other threats that enable an attacker to snoop on their activity.
6. E-mail
If the device owner fails to implement a PIN code to lock the device, anything that falls into the wrong hands can give an unauthorised person unlimited access to e-mail and data until the device is reported lost and the data is wiped. Some organisations are implementing policies to make users sign in every time they access their e-mail using their device.
5. Adware, Spyware
Many easily available add-ons and applications collect as much information as possible about the user on the device in an effort to sell the data to advertising networks. A mobile application is considered Adware or Spyware by security vendors when it collects data without requesting the owner’s permission. Some apps also install aggressive ad-driven search engines on the device to send users to specific advertiser web sites.
4. Too Many Permissions
Google, Apple and Microsoft have restrictions that force mobile application makers to request permission to access resources, such as the camera and contacts but most users usually fail to read the small print and grant permission during the install process. The wrong permissions could expose contacts, e-mail addresses and device location data to unscrupulous people.
3. Cloud-Based Storage Services
Dropbox and other remote storage services known as “the cloud” but in reality it’s a fancy name for just using the Internet to store data elsewhere which can lead to data leakage. These are used to store data as a backup or to share and if you fail to put restrictions on sensitive data or fail to have an enforcement mechanism restricting the use of mobile cloud storage apps there could be a problem. If a company doesn’t provide an approved storage solution, technically savvy users might bypass any security controls altogether. In addition to Dropbox, Google, Apple and Microsoft have cloud-based storage capabilities aimed at consumers and anyone can stick a server on the network and sell space without any regulations or checks.
2. Mobile Malware increasing
There is a steady increase in malware targeting mobile. The bulk of the threat is made up of SMS text messaging Trojans targeted at consumers, but enterprises are not immune. Security firm Kaspersky Lab recently identified Red October, a targeted attack campaign that had a mobile malware component. Zeus and SpyEye are banking Trojans that attempt to take advantage of a victim’s mobile device.
1. Lost Or Stolen Devices
Lost or stolen devices are the biggest risk if you allow employees to connect their personally owned device to the company network. It is possible to implement ways to remotely wipe any corporate data, such as e-mail and contacts, from a lost device. The response from employees who don’t want to give their employer unrestricted access to their device has prompted companies to take a closer look at containerisation. By containerising business data on the device, IT teams can have the ability to selectively wipe corporate data if the device is lost or stolen.
A policy for BYOD?
To ensure that you cover all these points it is necessary to have a BYOD policy in place and ask every employee, as nearly everyone will want to use your network, to agree and sign. Most wireless routers will allow users to connect using their device and you hand out the access rights when you give them the password. You do have password protected wireless don’t you? The safe way is to grant them access after they have signed the policy and note their devices code so they can’t give it to anyone else. Its like everything in your business, you need to stay in control otherwise others will control you.
You need to have a company wide anti-virus policy
Wireless access should only be granted after agreeing to and signing a BYOD Policy Document
You will need the MAC code from all authorised devices
You need a wireless router that can restrict access by MAC code
Look at software that bricks or containers the device if lost or stolen
Investigate anti-virus for mobles from people like ESET
Implement a pin code on all authorised devices
Make sure your Internet storage is necessary, safe and secure.
We can write and help you implement a BYOD policy which covers most of the aspects in this listicle – which is a new word in the Oxford English dictionary, an article based on a list.