Device management used to be so simple for IT professionals. New hires would arrive and you would order a Blackberry (or possibly an iPhone or Android, though Blackberry’s mobile device management ecosystem was superb) for them, provision it, configure their account and apply the security settings they needed. Everything ran on one carrier which provided device support and replacements and the company footed the bill, so you could establish usage upon users with mutual agreement.
Then along came the BYOD (Bring Your Own Device) movement which brought massive cost savings, user flexibility and a better range of device choices. But it also made life tougher for IT pros in the way of greater support headaches and security concerns. Security requirements don’t change, regardless of who owns the device or what operating system it runs.
With this advice in mind, here are some tips to reduce insider BYOD threats:
1. Know when to say no
Some companies simply aren’t a good fit for BYOD. If the security risks are too high or the regulatory compliance requirements too prohibitive, the old-school method of issuing standard devices on the company dime is going to have to be applied.
Banning BYOD loud and clear is an important step if necessary. This means you have to have a strategy to only permit known, approved devices to access your networks or services, and establish staff to handle these duties.
2. Have a BYOD policy
If you do decide to implement and permit BYOD, a BYOD policy can help you establish common standards for company BYOD usage.
SEE: BYOD (Bring Your Own Device) Policy (Tech Pro Research)
Formulate the policy to identify the specifics: what devices can be used and under which conditions; which employees are (or are not) eligible for BYOD, what kind of information should be accessed and stored, what stipulations you may apply to devices permitted for use, whether employees are eligible for reimbursement for BYOD usage and more. Using this as a framework for operations will streamline your BYOD environment and set expectations for all sides.
3. Identify responsibilities up front
There are two sets of responsibilities when it comes to BYOD: those of IT staff and those of the users.
Establish who will support the devices (IT staff or employee carriers, or a hybrid of both), what the support hours will be, how they will provide assistance (in person or remotely), who will be in charge of updates and other factors involving device administration and management.
Similarly, document the user responsibilities; what they can or cannot do with their BYOD device (such as not loaning it to non-employees), what apps they can use to interface with company networks or services, and how they should handle lost or stolen devices, or the decommissioning of their device.
Stress that employees should follow all security requirements and let it be known the IT department has the right to check devices to ensure these requirements are met.
4. Consider segmented services or networks
BYOD access doesn’t have to be an all-or-nothing proposition. It may be too risky to permit BYOD access to some high-level systems such as file shares, yet perfectly fine for connecting to an internal wiki. You can set up dedicated VPN networks, for instance, and permit only the desired traffic to internal resources. If using a cloud provider, see if policies and access roles can be applied on a per-user or per-device basis.
Using entirely separate networks for BYOD devices is another idea. For instance, my organization permits guest internet access via a secured Wi-Fi network so personally-owned devices can connect to the internet. This consists of a dedicated subnet which has no access to any internal networks or resources, and thus poses a low security risk.
5. Use Mobile Device Management
Mobile device management (MDM) provides a centralized method for BYOD control by establishing standard controls and settings which can be applied on a granular basis. You can specify which devices or users can connect, allow or block certain apps, and even restrict functions like microSD card or camera use.
Blackberry still offers an Enterprise Mobility Management solution, and some other examples are Soti MobiControl, AirWatch and IBM Maas360. All can support the most common device operating systems, permit users to register their own devices, lock or erase devices, and provide other features such as security options identified in the next tip. Some sort of MDM options are often available in email products like Microsoft Exchange 2010 or Google G Suite (formerly Google Apps) which can perform some basic functions to help manage devices.
6. Mandate standard security settings
Whether you use or do not use an MDM solution, certain security settings should be applied to all BYOD devices either from a central management point or via direct interaction. These include:
- Requiring passwords to unlock devices (or using biometrics)
- Automatically wiping devices if too many incorrect passwords/biometrics are entered
- Display a customized message on the lock screen such as “If lost please call this number”
- Using encryption, especially for removable storage cards
- Using anti-malware protection
- Identifying which apps should not be installed or which may pose a threat (apps from unknown sources, for instance)
7. Mandate application/operating system updates
Vulnerabilities in applications and operating systems can be exploited by malware or hackers in order to steal confidential information or harness devices for nefarious purposes (such as denial-of-service attacks on other systems).
For this reason, updates should be installed as they become available. Ensure devices are set to automatically check for and install these updates on a periodic basis. If you are using an MDM solution, you can control the application of updates via a scheduled process such as when devices connect to the network or at a certain point in time.
8. Educate users
User education is about more than just knowing their responsibilities. Inform users of current security threats and mitigation steps, how to find lost devices (there’s a “find my phone” link for both Apple and Android) and best practices, tips and tricks for device usage, especially involving company-owned or supported apps which they will use to conduct business.
9. Have a security incident plan
Identify solutions in advance for dealing with BYOD security concepts such as malware, stolen devices, data breaches, extortion attempts and other scenarios. Stress to users that they should bring their devices to the IT department if they believe they’ve been compromised, and promote a culture of cooperation and trust, rather than threats and punishment.
One primary element to effective security response is to ensure that no single copy of critical company data is stored on a BYOD-related device. Utilize file synchronization (such as with a corporate Dropbox or Box account) so that lost or stolen devices or extortion attempts will have minimal impact.
10. Use monitoring
Use monitoring (and alerting, if possible) to effectively administer your BYOD environment. MDM solutions are especially good at this and you can review mobile device usage statistics, connections, operating system details and other elements that can be useful for your efforts.
For instance, devices which have not connected to the company network in six months may be obsolete and can thus be removed. iPhones running older, less secure operating systems can be identified and plans made for manual remediation. Unknown devices connecting to your networks or resources can page system administrators for assessment to determine if a security breach is underway.
The list of useful data proper monitoring can provide you will make the difference between a successful BYOD implementation and a bug-ridden security nightmare.
Think Apple computers are still malware immune? This new attack proves otherwise
10 years supporting Apple’s iconic iPhone: An IT consultant’s reflections
The top 10 mobile risks of 2016
Report: Your business is wasting money on BYOD reimbursements
Infographic: BYOD is popular, but not widely supported by IT
Source: SANS ISC SecNewsFeed @ February 24, 2017 at 08:12AM