With business ventures going mobile, organizations have observed a massive boost in employee productivity. Smart phones, PDAs, laptops and tablets are now being connected to business networks so that employees can work from anywhere, anytime. BOYD or Bring Your Own Device is a phenomenon fast catching up across various multi-national organizations because of the flexibility it offers employees in working from different client locations. However, BYOD as a practice does come with its share of pitfalls, the biggest being confidentiality and security of company data.
Previously, organizations that required employees to work from remote locations issued smart phones or laptops with security clearance. Case in point is the Blackberry range adopted by companies as something of a de facto standard across the software and finance industry. Blackberry, then associated purely with the white collar workforce, designed mobile devices with powerful capabilities that were utilized by companies to harness employee time on-the-go without compromising security. It enabled the organization to be in control not only of the data accessed by the employee but also of the device configuration. Data integrity and confidentiality was assured as the employee had to return the phone to the organization on employment termination.
That is not the case today. With more and more employees purchasing smart phones, tablets, phablets, and laptops with superior capabilities over the Blackberry, data security has become a major concern in organizations. Having expended a considerable sum on an expensive phone and already being comfortable with the device, the owner may be more inclined to use the same device at the workplace rather than managing two smart devices. While this works in favor of the organization in many ways, with reduced expenditure on official phones and the fact that individuals are much more comfortable with their own phones over company-issued devices, there remains the question of security. What mechanism is there to stop an employee leaking sensitive information to rival organizations? Or worse, a theft of a device means that the thief will be privy to confidential details of a new product in the pipeline.
The argument in favor of BYOD entails that the new generation of smart devices come fully equipped with anti-theft and security software. Whether this is enough to ensure that company data is safe in the hands of an employee remains to be seen. With mounting pressure on employers to embrace BYOD, the viability of the concept on a large scale is still a gray area.
For the present, organizations would do well to safeguard their data on company phones with the following tips.
1. Restrict Company Network Access
The network administrator in-charge of personnel access must review security measures frequently and thoroughly. For data protection, it is vital that active email accounts, VPN tokens, intranet applications and databases be monitored closely to detect unauthorized access and suspicious activity like a high number of login attempts. No confidential data should be available to employees without secure authentication. There must be robust security measures in place to detect any breach from a mobile device. All network openings must be covered and monitored often.
2. Ensure secure access to corporate data from remote locations
Corporate organizations must review their servers and data regularly to ensure that confidential information be accessed only after authentication. It is a good idea to prioritize the relative risk of exposing data accessed from various external portals. Sensitive data require more than one layer of authentication while low-risk data should easier to access from remote channels for quick turnaround times.
3. Be Aware of device configuration
Mobile devices are a liability from a corporate standpoint owing to theft and potential loss. As a result, corporate data stored on mobile phones is highly susceptible to espionage. There is additional risk of data loss through electronic channels. Viruses and worms are also being developed on various mobile platforms to access confidential data.
An organization’s first line of defense against smart devices is to ensure that each device is properly configured to secure any data. Software available online advises users about the possibility of applications accessing personal information and data being visible over a network. Companies can add their own theft and anti-espionage settings requiring users to access certain information only after being authenticated. Thirdly, employees must be advised about the possibility of data theft and the seriousness of the loss of vital information impressed upon them. Administrators aware of the configuration of smart devices are in a better position to detect unauthorized access and security breaches from individual devices.
4. Utilize Device Management and/or Audit tools
Often, the first step to ascertain that employees configure their portable devices as per company policy is by circulating written instructions either by email or putting them up on the notice board; and reinforcing the same by verbal instructions. While this may seem simple, employees may often read the directions yet not follow them. Over time, they may also fail to maintain the prescribed configurations.
To tackle this problem, there are tools that monitor and report the configuration of a device; and automatically channel any non- compliant device to align with the desired security configuration. While Mobile Devices Management (MDM) are the tools of choice, they are better suited for large organizations rather than a small company. An alternative to MDM is Mobile Device Auditing solutions. Unlike MDM which is more stringent, these tools do not take over control of the device but keep track of non- compliant devices; making it an employee- friendly option as well.
5. Be Clear and accurate when communicating with employees
To maintain transparency, it is preferable that the management informs all employees about the type of monitoring and control policies that are in place for BYOD like:
• The kinds of data being monitored
• The configuration settings which can be modified
• The manner in which the device information will be used by the company
• The time period for which such data will be retained and so on.
Keeping communication lines open also promotes a level of trust and confidence between the company and its staff. It is important to note that organizations, by law, require a written agreement regarding the audit and control of employee devices. Such agreements enumerate the information that can be viewed and modified on employee devices by the organization.
Create awareness among employees about factors like reporting suspicious activity, loss of device or data, configuring devices as per security policies and the like; this will go a long way in securing sensitive information as employees will certainly be more cautious about where and how they keep their devices.
6. No compromises on employee privacy
Even though BYOD allows external devices to access to company data, the device is, at the end of the day, the property of the employee. They should be able to use their device for personal tasks too. A fine balance has to be maintained to see that the privacy of the employee is preserved along with securing company information. The staff too, will be at ease knowing that their personal data like bank accounts, non- business emails and texts; in short, all their private information which need not be accessed by any monitoring mechanism is out of bounds for the organization as well.
7. An action plan in place for data breach
It is important to identify the places where chances of data breaches are high and focusing on securing those areas. While steps to protect data are a must for any organization, they ideally serve to reduce the risks of losing sensitive data rather than completely eliminating it. Hence, it is always better to be prepared in case of loss or theft of data. The first point of contact in case a data breach is detected, the immediate configuration settings that will kick in to prevent further loss of data, investigative activities to identify the person or device responsible and such other factors have to be put in place to efficiently deal with such an prospect.
8. Keep pace with technological advances
Technology is changing at the speed of light, and every organization should keep its IT systems, device monitoring and auditing tools updated to suit the latest scenario. Regular revision of policies regarding data protection too, goes hand in hand with system changes. When such processes are up- to- date, they complement each other’s working and support organizations in keeping their sensitive data secure, in a more efficient manner.
9. Practice what your preach
IT systems have to not only comply with a variety of external regulatory bodies like Sarbanes, Oxley, HIPAA, PCI and so on but also with company security policies and internal audits. Whether surprise checks or routine ones, ensuring the systems and processes are secure and in compliance with external and internal policies at any time are always beneficial. Any deviations must be recorded and attended to in a timely manner. It reduces the chances of data breaches to a large extent.
10. Win-win situation for the Management and the workforce
Putting mechanisms in place for BYOD policies do require considerable planning and proper execution from start to end. However, at the end of it all when all systems are in force, the Management is satisfied knowing that company data is safe to the maximum extent possible; and the employees are assured that they can exercise their choices as much as their responsibilities at the workplace.
BYOD is certainly a game-changer in data security policies for almost every company. A well-planned balance between freedom and safety measures will help create a working environment that is secure as well as flexible to work in.
By Susan Mehta, Infosec Institute
InfoSec Institute was founded in 1998 by an expert team of information security instructors. Their goal was to build a business by offering the best possible training experience for students. They felt that by providing the best possible hands on training, the most practical for today’s demanding workplace requirements, that the business would grow by leaps and bounds. This original assumption proved true.
