Reducing Risk: How to Make BYOD Safer
Day in, day out, IT professionals work at getting data security to catch up to the speed of business, or at least reduce the gap as much as possible. The trials and tribulations they face in dealing with enterprise BYOD (Bring Your Own Device) security risks is a great example of this ongoing and ever-evolving field.
New threats, vulnerabilities and gaps in business processes are being discovered constantly that add layers of complexity, while new solutions are being proposed with almost the same breakneck frequency. There’s never a dull day in the world of security, especially when enterprise mobility architecture must also enable balanced BYOD programs that equip professionals with the tools necessary to respond, collaborate and produce at a more efficient clip.
But within the most ambitious of problems often lies the best solutions, and very valuable do’s and don’ts are emerging that all IT leaders can and should be implementing for their BYOD plans:
1. Minimize the amount of data on devices
The more mobile our workforce becomes and the greater the reliance on mobile app access, the need to focus security of corporate data away from devices is becoming clearer. Mobile security becomes more straight-forward when the most important asset needing protection – sensitive corporate data – is separated from the myriad of personally-owned devices and operating systems that connect to your network. Inherently the weakest link in security, smartphones and tablets require constant patching to deal with malicious attacks and vulnerabilities. Aside from the IT overhead demanded by device management, the level of security afforded from enterprise mobility management (EMM) tools exclusively has a ceiling, while mobile data seems to know no bounds. Virtualized enterprise mobility approaches have emerged which enable data management from a secured data center.
2. Reduce connections and protocols that connect to your network via devices
Remote access should be granted as much as possible using a secured and encrypted connection. Requiring users to connect via a VPN connection is an absolute must in order to permit secured connections between mobile devices and your corporate network. Using a VPN service ensures that you only have one gatekeeper verifying that all of the data being transferred from the device is encrypted and being sent to the appropriate recipient server. Anyone viewing your data in transit will see strings of unintelligible text.
3. Use advanced secure connection techniques
To verify data in-transit from mobile apps is secure make sure you are using the latest encryption standards. Modern cryptographic protocols such as TLS (Transport Layer Security) 1.2 have less vulnerabilities. Additionally some new techniques such as certificate or SSL pinning also reduce risks. Implementing these standards adds protection from man-in-the-middle (MITM) attacks. Certificate pinning lets you validate the certificate and confirm that the server requesting entry matches the hostname and has not been intercepted along the way. Many consumer apps regularly used by telecommuters don’t properly implement these techniques, so it’s important that IT does so to ensure a higher level of security.
4. Use One-Time Passwords (OTP)
In addition to phishing and MITM attacks, keyboard logging is another technique that is often used to record passwords and login credentials in order to penetrate a network. To guard against this, use unique and temporary passwords for each time a user logs into a session. Combine this with a smartphone passcode to reinforce authentication processes.
5. Don’t support rooted and jail-broken devices
This should be universal by now, but you’d be surprised how many organizations have still not nipped this issue in the bud. With all of the mobile malware and other vulnerabilities already faced by secured mobile devices, why would you even consider allowing compromised devices to have access to your enterprise data?
6. Incorporate BYOD security education into onboarding and employee communications
No matter how carefully you construct your BYOD policy, it will only be as successful as the engagement it receives from your employees. You drill codes of conduct and fire and safety procedures with new hires; the safety of your data is just as important. Incorporating employee education from the start of their journey with your company and keeping them updated on the importance of using security best practices is an investment that will pay off long-term. Taking them through your BYOD policy during on-boarding is a good start, but don’t just leave it at that. As new security risks and considerations emerge, arm pertinent department heads with practical takeaways they can share with users. Over time, you’ll see more of them actually being used, as well as an improvement in BYOD compliance.