BYOD Security Dilemma
by Robert Mullins
The Information Security Forum released a report titled 'Threat Horizon 2014' that looks at the continued global threat to computer networks, businesses and individuals from cybercrime.
One section of the report also looks at 'Internal Threats', which at first glance would seem like another discussion about malicious insiders who attack the network because they're disgruntled. In fact, the Internal Threats identified in this report are from new technology that comes into an organization, sometimes presenting security issues its advocates weren't aware of. A case in point is BYOD.
BYOD is the situation where employees are allowed to 'bring your own device' to work and IT will allow it to access the corporate network, also known as Bring Your Own Disaster. But companies need to balance acceptance of consumer-built smartphones and tablets with control of those devices to protect their networks. “Organizations are unlikely to slow their adoption of new technology,” the report states, “[But] along with business benefits come potential vulnerabilities and methods for attack. ”
The report looks at a variety of new technologies, including cloud computing, that can create new internal threats to an organization BYOD is certainly one of them.
Consumer devices were never intended to be highly secure. An example is the Google Android applications marketplace, Android Market, as proof. Google had to add new security controls in February after reports that a high number of applications there turned out to be instruments for delivery of malware to the device.
Tthe Android apps market as Route 1 for any cybercriminal or hacker.
Unless you've thought through your BYOD strategy, unless you've put in place some real good governance around it and you get your users to sign up to acceptable use policies, there's very little you can do to enforce some of these things.
The management consulting firm Janco Associates recently published a report suggesting a 'BYOD Policy Template' organizations should consider to welcome BYOD into the workplace but not at the expense of security.
A summary of the report lists several questions IT should ask when formulating their policy:
- How do you comply with regulations on records retention and destruction in a BYOD environment?
- How should a device be configured to receive and transmit corporate data?
- What happens to data and its audit trail when an employee leaves the company?
- What type of passwords should be used?
- What kind of encryption standard should be required?
There are security tools out on the market that address some of these concerns, such as the capability to connect a smartphone to the corporate network using virtual private network (VPN) technology.