Many organizations now take advantage
of BYOD (Bring Your Own Device), as employees are looking to utilize for work the
technology they already own at home. A recent study from vaoConsult
found that 90% of enterprises have employees
that use their mobile devices for corporate applications. Small businesses don’t typically have the
luxury of an IT staff to tailor network and server security to all of the individual
devices workers want to bring in, so you’ll need to consider the risks before
allowing such devices to access your small business data. We’ll detail some of
those risks here.
New Security Holes
Sure, it’s great that employees want to
maximize their productivity, and with BYOD, that extra productivity can come
from using a notebook, Ultrabook, tablet, or smartphone with which they’re
familiar. But how secure are the devices they plan on using to access your
network? For example, have they installed security software, as you would
normally with any technology provided by the company? A recent Trend Micro study found
that smartphone and tablet platforms will suffer more cybercriminals attacks in
the future, and security vulnerabilities can be found even in legitimate mobile
apps.
If they do have security software installed, does it automatically
update? Does it have the security features, such as anti-phishing tools,
normally provided in the security apps you use? If the employee doesn’t know to
(or won’t) install extra software, the device could be a potential risk for leaking data and secrets to hackers, because
it’s more open to viruses and spyware. One possible (but possibly expensive)
solution is to agree to pay for and install on employees’ devices security
software that will meet your business requirements.
Another problem relates to
how the devices will access your server. If the device is lost or stolen and
it’s set up to automatically enter a username and password, a thief can use it to
discover company secrets or access the network. Therefore, most experts
recommend that you require two-factor authentication, such as a username and
password—plus a randomly generated code (generally sent as a text to their
mobile phone or via email), PIN, or fingerprint verification. The new
holes in the device’s security could mean more trouble than convenience, if the
worst happens.
What Can They Access
You want employees to be able to use their
technology effectively while on the road or at home, but
even at the office you may need to limit their access.
Even with adequate security software, a criminal in possession of a lost or stolen device can crack
your network if given enough time. A recent study from inc an online publisher indicates that the biggest threat to a company’s business data is the company’s
own employees, mainly due to stolen and insufficiently secured devices.
Smartphones are one of the most popular devices employees tend to bring in for both work and personal use. BYOD policies can help employees to understand how they should be using their personal devices for work.
With a
work-provided device, you’ll typically have a utility that allows you to
remotely wipe it, so you know that thieves won’t be able to use any of the
network information stored in the device to reach your corporate data. Blocking off confidential data is also
a good idea to prevent employees from copying it to their personal devices—making it even easier to
find if the device is stolen. The Trend Micro Threat Research Team also found
that hackers are using highly targeted attacks, known
as campaigns, to reach your network via a
series of attempts and methods. With each successful attempt, they gain another
piece of information that will help them to get into your network. Thus, you’ll
need to ensure that any company data available on an employee’s mobile device
is secured in some way.
Personal Vs. Work
BYOD also presents a challenge for
businesses that need a way to keep personal and work data (and
apps) separate—a concern for business that
must follow stringent compliance rules, such as HIPAA
or PCI/DSS. This can accomplished with
specially-designed applications called MDM (Mobile Device Management) tools, that provide an extra
level of security for work sanctioned devices. However, the expense of MDM utilities can be prohibitive
for small businesses. If this is the case, you may need to rely on employee education. For example,
you should tell employees that they shouldn’t trust an email with links or attachments they don’t recognize—and sometimes those they do
recognize—even in their personal email.
This way, the non-work
apps on your device will be less likely to introduce security issues for the
business. Other key education points include things such as connecting to
public Wi-Fi networks and writing passwords on notepads or sticky notes that
are carried with you or stored on your desk. An “accepted use” policy will help
workers to know what’s expected of them as far as BYOD. (For example, can the
employee use online file storage services with work data?) Proactively outline and anticipate the challenges
workers may face, and include repercussions for not adhering to the provided
policies.
No comments:
Post a Comment