News of massive hacking attacks that expose sensitive company data and compromise customer account information has businesses of all sizes taking a closer look at their data security practices. The issue takes on even more importance in the “Bring Your Own Device” (BYOD) era, which requires a framework of policies, operations and technologies to ensure that BYOD fulfills its promise of greater productivity instead of just expanding vulnerability.
Like it or not, infosec and IT professionals are no longer fully in charge – employees are because they have access to more powerful technology assets than the company can provide, and they are already using their devices on the job. It’s up to companies to create a BYOD program that manages these resources efficiently and effectively. Here are some tips that company IT managers can use to secure data on employee devices:
1. Be proactive about your mobile policy. BYOD is happening whether you take steps to control it or not. If you don’t have a mobile policy, write one, and if your company lacks a robust mobile policy, rewrite it to strengthen it. It’s also important to educate employees so they know the rules. Develop FAQs and make them accessible to keep everyone informed.
2. Segment your security protocols to reflect the actual risks. If your company has 500 employees but only 20 have access to sensitive information, don’t subject everyone to the same strict protocols, such as a five-minute password timeout. Recognize that levels of risk vary among employee groups and establish security levels accordingly.
3. Protect security by limiting app store access for Android devices. Android apps have a reputation for being less secure than iOS apps, but the truth is that apps available on Google Play the Amazon App Store are usually safe. The malicious software threat comes from third party apps stores, which number over 100, so limit access judiciously.
4. Be wary of adware. With app store protections in place, the big worry isn’t malware – it’s adware installed on free apps that don’t show ads. Many generate revenue by accessing and selling calendar and contact information. Users are warned up front, but virtually no one reads the terms. An app reputation scanner like Appthority can provide a heads-up.
5. Be careful with Virtual Private Networks (VPNs) and protect the WLAN environment. Traditional VPNs can allow malicious apps to access internal data, so a per-app VPN is a much safer approach. It’s also a good idea to deploy a Secure Enterprise Access Control (SEAC) solution so employees can’t bring a jail-broken iPad to work and bypass controls.
6. Don’t require complex passwords on mobile devices. Since mobile passwords are local, the risk isn’t as great – thieves would need to physically control the device to hack it in most cases. Protect access to company data stored inside the organization with complex passwords, but allow employees to use simple passwords on their devices. If you don’t, they’ll write them down – or worse yet, use the same password for multiple sites.
7. Find an effective Enterprise Mobile Management (EMM) solution. With the right EMM solution, IT can identify jail-broken or rooted devices, remotely wipe corporate data while maintaining personal data, ensure email attachments are opened and stored only in trusted applications, prevent ActiveSync connections and much more.
Some IT professionals are still trying to come to terms with the loss of control that widespread adoption of BYOD represents, but the sooner they face reality, the better. The truth is that maintaining the proper balance between security and usability has always been a challenge.
Given the proliferation of devices and increasing sophistication of the threats to enterprise data, the best strategy is to embrace the reality of BYOD and find compromises that work for your company as you seek the right balance between security and usability. These seven strategies, techniques and technologies can help you keep company data more secure.
