Businesses have to face the issue of BYOD (Bring Your Own Device). When 78% of white-collar employees in the United States use their own PC, smartphone or tablet for work
(according to a Cisco report last year), they have no choice but to deal with it.
Trouble is, they aren’t. One study from Gartner says only 33% of businesses have BYOD policies. An F5 Networks survey says 75% of businesses don't have a BYOD policy in place.
This is troubling. The BYOD trend is convenient for your employees, but it’s also a serious risk – not only to your network’s security, but to the safety of your data. Is your employees’ convenience worth the risk to your company?
Controlling BYOD is Possible, and Worth the Effort
Many businesses feel they just have to accept BYOD. There are more cellphones than people in the U.S., and tablets are now commonplace everywhere from boardrooms to hospitals
. Why fight against an obvious computing trend?
This month’s WOOF will show you that the fight is necessary. That controlling it IS possible, and it doesn’t require an overhaul of your security.
What are the biggest problems with BYOD? Is it really so bad to let employees use personal devices to do their company work? What’s the worst that can happen?
BYOD—The Worst That Can Happen
- Your corporate data becomes accessible on an employee’s personal device. Personal devices are taken to personal places (home, bars, restaurants, stores, airports, the gym, left in the car, etc.) where they can be easily lost or stolen. Phones and tablets are perfect avenues for a cyber-thief to steal huge amounts of private data. Walking away with a device is much easier than hacking into a datacenter. And worse, for convenience, most users don’t use an extra password for email on their phones/tablets. So a stolen device provides an open door to company email, network files, and favorite websites with prefilled logins.
- Since the device does not belong to the company, you have no right to secure the device’s hardware. Which leaves your network open to viruses and malware through it. Not to mention, the employee may habitually store documents locally—so you have no network backup in the event the device is lost, stolen or destroyed.
- No GPO or password management capability. Without configuration, tablets will not obey GPO rules on your network. Which means a remote password or data wipe, in case of loss, may not even work.
- If your employee quits, you have no right to ask them to turn over their personal device so that you can remove all network connections, company applications, delete stored passwords, work product, etc. If they quit, they take your data with them.
- If company passwords are stored on personal devices, they’re drifting around outside the network and can be harvested.
- Most tablets & smartphones send/receive data without encryption. Which means someone can steal the data while it’s transmitted across the Web.
- Over 1 in 3 younger workers – those considered “first generation” BYOD users – would ignore business rules if those rules banned personal devices at work.
- Lost or stolen personal devices with corporate information on them, can make the business liable if such data loss constitutes a violation of government policies (HIPAA, etc.)
- Network security does not always cover mobile devices as fully as in-office computers (depends on the software used).
- Finally, the BYOD phone number problem. Who owns the phone number? Not the company. An employee in sales or other customer-facing roles leaves the company and takes their phone number with them. Customers calling the number could then potentially be calling competitors which can lead to loss of business for BYOD enterprises.
BYOD is essentially a collision between employee privacy/convenience and corporate security. Collisions are messy.
BYOD—Real Life Scary Stories
Horror stories abound when it comes to BYOD – stories of data loss, theft, and worse. It you don’t protect your business against BYOD’s security risks, you could face something like this:
- In September 2012, Massachusetts Eye and Ear Infirmary had to pay a $1.5 million fine for HIPAA violations. Why? A doctor's personal laptop had lots of patient information on it. And no encryption. It was stolen, threatening the privacy of those patients. The hospital was liable.
- A commenter to a request for BYOD horror stories told of a military aide who entered work-related phone numbers into his personal phone. He lost the phone. 27 unlisted numbers had to be changed, and hundreds told of the changes.
- Mississippi Department of Corrections (MDOC) network systems manager Jerry Horton recounted a BYOD security nightmare in Baseline, of infrastructure inability to handle new traffic from BYOD. After allowing employees to bring their own devices, the MDOC thought it was protected by its existing firewall. However, the firewall was unable to monitor traffic at all ports. At one point, Horton says, MDOC was hit by attacks 3-4 times a week.
- Mimecast CEO Peter Bauer fell victim to personal data loss as the result of an internal management policy he helped establish. While vacationing in South Africa, Bauer's 5-year-old daughter tried to use his smartphone. After she entered the incorrect PIN code 5 times, the corporate-installed remote wipe capability kicked in, and Bauer lost all of the photos he'd taken in the first half of the trip.
- An attorney at law firm Dowling Aaron nearly lost his work emails and banking information when a thief stole his phone from his car. However, Dowling Aaron had implemented BYOD user policies, and was able to remotely wipe the phone before the data could be exploited.
PlanetMagpie Recommended BYOD Security Policies
If BYOD is such a security concern, how do you protect your network?
"Couldn't we just ban BYOD?" Yes, you can try. But if employees sneak in their tablets (like in #6 above), your network security now has a hole. And you aren’t prepared for it.
The best approach is to build protections against BYOD into your company’s policies and security infrastructure.
Here are several types of BYOD security policies you can institute.
- Let employees use their company phones and laptops for personal use. Designate the software that is allowed on the device. This way you control security (not to mention where they can go online) and hardware must be returned to you at departure.
- Create a guest network for personal devices to use. Wi-Fi, Internet access only (no work resource access). Throttle the bandwidth too, so BYOD doesn’t hamper corporate Internet use.
- Use RAIDIUS authentication for the corporate wireless network. This way only machines that are joined to the corporate domain can access the internal wireless network.
- Institute a company policy saying that no company data may be saved to tablets or phones. Store & work with data at the server level only. No exceptions. And make sure there are consequences for violating the policy (such as confiscation & checking of the device).
- Use encryption to protect the data itself. All mobile devices must work with encrypted data only.
You can use any combination of these to secure BYOD. The important thing is to protect against data theft at the server level. It takes a bit of work to set up the network for BYOD protection (especially if you want encryption). But it’s a one-time change. From there, the systems administrator or your IT consultant will monitor the network and BYOD devices all in one.
Remember that your #1 job is to protect your company. BYOD does not have to be a fait accompli. Protect your company data with sensible policies and network tools.