“Bring Your Own Device” Opportunities & Risks

By Danielle Johnson, Director of IT, InsurBanc

The consumerization of IT revolution — sparked by the iPhone — has shifted the IT culture so that the users are the ones getting the latest, cutting edge technologies first, and they want to bring those devices to work.

— PC World Magazine, Dec. 20, 2011, Tom Bradley

“Pros and Cons of Bringing Your Own Device to Work”

What Is BYOD?

Many workers today expect the companies they work for to allow them to use their personal mobile devices and personal computers at the office, and/or to provide remote connectivity to the office via personal devices. Technologists dub this trend “BYOD” (bring your own device).

Why is BYOD Important?

Mobile devices —along with their applications and on-the-go Internet access —provide attractive options for speed, connectivity and productivity. Many people wouldn’t think of spending their workday without a Blackberry, iPhone, Android, iPad or other device to access company systems and data. Most important, senior managers want to use these devices and are using their organization’s technology more because of them.

Many employees see their own personal devices as superior to those provided by their employers. Employees also tend to believe they are more productive if allowed to use their own devices for work and data syncing between office and home.

Thus, BYOD is significant because employee-owned devices are now accessing company systems and being used for work purposes presenting security and privacy concerns to the employer.

Employers see the inherent value in a more mobile, more connected and more productive workforce. Many employees and managers have no problem connecting and addressing work issues after hours and/or on the weekends. It can be considered a motivational strategy.

What Are the Security Risks?

BYOD mobility offers access to enterprise data, systems and corporate email. Employees can store and process data and connect to networks.

While BYOD may be considered necessary and convenient, this type of connectivity can raise significant data security and privacy concerns which lead to potential legal and liability risks.

Consider:

1. The device gets lost or stolen with access to company data and systems.
2. The device contracts a virus or has malware installed that can obtain company logins and data from that device.
3. The personal device user —however good his/her intentions are —can in effect be circumventing company security standards.
4. The company cannot control the use of the personal device should the employee allow children or friends to use the device.
5. The employee may use the device to place files in personal applications in the cloud which may not be secure.
6. The employee plugs a mobile device into the USB port of his or her office computer thereby transmitting a virus to the office desktop.

Here are some facts to consider when trying to balance personal device access with security:

Employees don’t perceive the risk. Many employees perceive the use of their own devices at work as placing no extra burden on technical support. But dealing with any data or system security issue requires know-how and technical resources.

Executives perceive the risk, but aren’t fully ready. In August of 2011, a Deloitte webcast poll of more than 1,000 U.S. information technology and business executives found that 28 percent of respondents believe there are unauthorized personal digital assistants (PDAs) and/or tablets connecting to company systems, especially to email servers. About 87 percent of respondents think their systems are at risk for a cyber attack originating from a mobile security lapse, the poll reported.

The same poll found 40 percent of respondents are unaware of whether their organizations have strategies or controls to enforce mobile security. Further, it found that only 24 percent of respondents believe that “all devices connecting to my intranet are authorized.” Only 17 percent reported that they monitor for rogue connections.

Malware is on the move. Malware that targets mobile devices is increasing, reported IBM Security Solutions researchers in a fall 2011 whitepaper. Citing an IBM security research report, the whitepaper presented statistics showing that mobile operating systems vulnerabilities tripled from 60 to a projected 180+ from 2009 to 2011.

Enterprise systems and mobile systems are catching up with each other. While many corporations have for years allowed Blackberry-based access to email and other company systems, users are now demanding that iPhone/Android-based smartphones and tablet computers be provided access to these same services.

How do you proceed once BYOD is determined necessary?

Since there are risks to the mingling of personal devices and work systems, companies must take the lead in assessing and managing the risks so as to safeguard their systems and data. Some simple steps include:

1. Institute a strong written BYOD Policy that is consistent with the organization’s Employee Handbook policies such as the IT Policy and Acceptable Use Policy.
2. Determine which data to protect.
3. Define what devices will be supported.
4. Determine which employees need remote access via personal devices. Do not open BYOD participation beyond those employees that have a strong business reason for mobile access.
5. Define security requirements.
6. Train and educate employees concerning policy and BYOD use.
7. Monitor employee mobile devices for compliance with your organization’s policy.
8. Secure employee’s authorization to “wipe” the employee’s mobile device remotely (restore to the original factory state), as a condition of giving access to any of the business’s systems.
9. Place controls over access to and use of the company’s wireless internet.For example:do not broadcast your wireless SSID, restrict access to employees only using MAC address filtering in the router and invoke WPA 2 on the router.

Security Solutions

If an enterprise is allowing employees to use their own mobile devices, the following security measures should be implemented.

1. Require strong phone startup PIN which is at least 6 – 8 characters long. If not supported, use the maximum allowed. Reduce the PIN required timeout setting to no longer than 10 minutes.
2. Require specified encryption and anti-malware software on each device.
3. Require and install mobile tracking software/applications which allow online access to track the location of a lost/stolen phone and the ability to perform a lock/scream and/or remote data wipe. Secure employee’s authorization to take these actions on the device if the device is misplaced, lost or stolen, as a condition to giving the employee access to the business’s systems and data.
4. Do not allow “broken”/”rooted”/“jailbroken” devices on your network. These phones have removed limitations installed on the phone by the carrier allowing the user to run apps and files not approved by carriers. This process opens the device up to security risks.
5. Large enterprises monitoring multiple devices and platforms should consider Mobile Device Management (MDM) software. MDM software centrally controls and protects the data and configuration settings for all mobile devices in the network. MDM can also provide a secure document delivery platform and end to end data transmission encryption.

The opportunities of BYOD are present —and here to stay. As an analogy, home security is more complex for a bigger house with more entrances and windows. So too is systems security more complicated as smartphones and other remote devices present new entry points to be analyzed and protected.

All of the security tips presented here are simply guidelines to aid agencies in diminishing security and privacy risks and managing them. However, none can be guaranteed 100% effective.

Danielle Johnson is the VP, Director of Information Technology at InsurBanc, which IIABA and the W.R. Berkley Corporation established to assist independent agencies with their specific banking needs. This article reflects the views of the author and should not be construed as an official statement by ACT.