This website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block. By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more.
This Website Uses Cookies
By closing this message or continuing to use our site, you agree to our cookie policy. Learn More
This website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block. By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more.
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • Home
  • News
    • Security Newswire
    • Technologies
    • Security Blog
    • Newsletter
    • Web Exclusives
  • Columns
    • Career Intelligence
    • Security Talk
    • The Corner Office
    • Leadership & Management
    • Cyber Tactics
    • Overseas and Secure
    • The Risk Matrix
  • Management
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • More
  • Physical
    • Access Management
    • Video Surveillance
    • Identity Management
    • More
  • Cyber
  • Sectors
    • Education: University
    • Hospitals & Medical Centers
    • Critical Infrastructure
    • More
  • Exclusives
    • Security 500 Report
    • Most Influential People in Security
    • Top Guard and Security Officer Companies
    • The Security Leadership Issue
    • Annual Innovations, Technology, & Services Report
  • Events
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
    • Security 500 West
  • Resources
    • The Magazine
      • This Month's Issue
      • Digital Edition
      • Archives
      • Professional Security Canada
    • Videos
      • ISC West 2019
    • Photo Galleries
    • Polls
    • Classifieds & Job Listings
    • White Papers
    • Mobile App
    • Store
    • Sponsor Insights
    • Continuing Education
  • InfoCenters
    • Break-in Prevention
    • Building AppSec in Enterprises
    • Video Management Systems
  • Contact
    • Editorial Guidelines
  • Advertise
Home » Bring Your Own Risk with BYOD
Security Enterprise ServicesCyber Security News

Bring Your Own Risk with BYOD

Bring Your Own Risk with BYOD
April 1, 2016
Claire Meyer
KEYWORDS Bring Your Own Device (BYOD) / mobile device management / NIST cyber security framework / smartphone security
Reprints
One Comment

In the age of the anywhere, anytime workplace, establishing boundaries for BYOD programs gets complicated.

As workforces become increasingly mobile and available through the use of smartphones, tablets and laptops, the enterprise becomes increasingly at risk of data loss, whether by employees losing devices or compromising cybersecurity.

Read more about BYOD

Read more about cyber security

The more successful BYOD implementations are often those driven by business goals (increasing workforce size or productivity) instead of mere convenience, and as such, BYOD policies should be built through multiple departments, such as IT, HR, security and legal, to ensure that the policy remains aligned on the enterprise’s success.

The program also needs to meet the needs of employees, not just IT personnel’s preferences. Otherwise, they may evade the cumbersome safeguards put in place to protect the company’s data in order to be more productive and streamline their own user experience.

“BYOD: an emerging market trend in more ways than one,” a study from Ovum, sponsored by Logicalis, shows that 79 percent of employees in high-growth markets believe the constant connectivity associated with BYOD enables them to do their jobs better. However, these benefits to the enterprise may come with higher risk, as 17.7 percent of survey respondents who bring their own devices to work claim that their employer’s IT department has no idea about this behavior, and 28.4 percent of IT departments actively ignore BYOD behavior.

There are a variety of enterprise mobility management (EMM) solutions to help enable safer BYOD programs, including virtual environments, data classification, virtual container approaches, device integrity scanning solutions, stronger encryption or authentication programs, but enterprises need to bring multiple stakeholders to the table to confront the risks associated with user-owned device use.

Putting policies in place to manage BYOD risks is a global problem also, as shown in the Ovum study. Only 20.1 percent of companies surveyed had signed a policy governing BYOD behavior. U.S. companies are doing better than many in this field, but companies without BYOD strategies still outnumber those with signed policies.

According to the NIST report “Guidelines for Managing the Security of Mobile Devices in the Enterprise,” there are three common security objectives for mobile devices: confidentiality (ensuring that transmitted and stored data cannot be read by unauthorized parties), integrity (detecting intentional or unintentional changes to transmitted and stored data) and availability (ensuring that users can access resources using mobile devices whenever needed). BYOD programs support the latter, but the former two create hurdles to a successful BYOD program.

Securityconnected with Murigiah Souppaya, a computer scientist with NIST, and Karen Scarfone of Scarfone Cybersecurity – the joint writers of NIST Special Publication 800-124 on managing mobile device security for the enterprise, to discuss what to look for in a successful BYOD program, and what risks face organizations that do not do their due diligence in mobile device management.

 

Security: How could centralized mobile device management be applied to a bring your own device (BYOD) program in an enterprise?

Souppaya and Scarfone:The enterprise can use enterprise mobility management (EMM) solutions to manage the risk of allowing employees to use their personal devices to access enterprise services and data. These solutions, such as mobile device management (MDM) and mobile application management (MAM), provide an environment that isolates the enterprise applications and data from the rest of the device. Strong authentication can be required to access the enterprise environment, which is also encrypted to protect the organization’s sensitive data and applications, and to minimize data leakage from those applications to other applications and services running on the device. In the event the device is lost or the employee leaves the organization, the protected environment can be remotely wiped to remove the enterprise data.

What are pitfalls that enterprise information security personnel should be mindful of?

Although EMM solutions can be very helpful in safeguarding BYOD devices and the data they contain, no security control can provide complete protection. Some of the potential issues with allowing BYOD usage include:

  • Loss of control and visibility of the enterprise data which is being transmitted, stored, and processed on a personal device;
  • Potential data leakage or disclosure of enterprise data on a device;
  • Physical loss or theft of the device; and
  • Devices with compromised integrity, such as smartphones that have been rooted or jailbroken by their owners.

 

How has the risk landscape changed for mobile devices in the past five years? How does this impact enterprises?

As mobile devices have gained functional capabilities that allow enterprise users to do their work without resorting to their traditional desktops and laptops, which are often tethered to a dedicated network, the attack surface of the mobile devices has increased greatly. The additional features give attackers many more paths for attack, such as introducing untrusted mobile applications that may be vulnerable or malicious. Also, attackers are targeting more mobile devices because they are “personal” and often contain personally identifiable information about the user.

Mobile devices improve quality of life by allowing users to be more productive and efficient since they can work anytime and anywhere. To support these usage scenarios, the enterprise enables the users to have access to the enterprise services and data from devices that are outside the boundary of the trusted enterprise network. In addition, some of these services are being migrated to public clouds to provide greater availability and facilitate integration with other shared services. As a result, the use of mobile devices is challenging the traditional enterprise computing model.

 

Which enterprise stakeholders should be involved in crafting a mobile device security policy?

Business owners, the enterprise IT team, and enterprise security professionals should all work together to develop a mobile device security policy that will enable the organization to meet its business requirements. Ideally the policy will balance the need to be innovative, competitive, and efficient with the need to manage risks and implement security countermeasures in order to enable the business units to meet their goals and objectives.

 

How should a mobile device security policy be changed or expanded when a BYOD program is in place?

With the introduction of BYOD, the policy should take into account that the enterprise does not own the mobile devices that are being used to access the enterprise services and data. Traditional processes and procedures applied to enterprise-owned devices have to be customized or even replaced altogether to help the organization minimize its risk in allowing use of “personal” devices. Organizations usually have to implement additional security countermeasures to support the BYOD usage scenario.

 

Ideally, what security measures can and should the enterprise require for employee-owned devices used for business purposes?

Devices should have a hardware root of trust to protect the organization’s sensitive device, application and user private keys. Enterprises should have:

  • A sound registration and provisioning process for employee-owned devices before access to enterprise resources is allowed;
  • A mechanism for assessing the integrity of a device, especially detecting if the device has been compromised at the platform level, (e.g., rooted, jailbroken) which would defeat the built-in security protections that are provided by the platform manufacturers;
  • A capability to isolate and protect the enterprise applications and data from the rest of the device environment;
  • Enforcement of strong authentication mechanisms leveraging the hardware root of trust before the user can access enterprise applications and data from a personal device;
  • Protection of the confidentiality and integrity of communications between the mobile device and enterprise services;
  • The ability to know who, when, what, where and how the enterprise data and services are accessed; and
  • The ability to remotely wipe the protected environment for a lost device or potentially locate the lost device.

 

How can enterprises maintain oversight into what devices employees are using for data, and whether or not these devices are up to date on patches and operating systems?

As part of the registration/provisioning process for the BYOD devices, an organization may be able to track the mobile devices as part of its device inventory. This gives the organization visibility into the devices and can allow the organization to determine the current state of the devices in terms of patch and firmware levels when the user connects to the enterprise data and services. Since the enterprise does not own these devices, it may not be able to force them to be updated, but it can prevent devices that do not meet its security requirements from accessing the enterprise’s resources until the user takes some corrective action, such as updating the firmware to a version that is not
vulnerable.

 

If an enterprise neglects to put proper mobile security policies in place, what sort of risks do they run? Can you give me an example of a likely scenario?

  • Sensitive enterprise data, such as personally identifiable information and proprietary intellectual property, could be stored or transmitted without adequate protection, allowing the data to be leaked to third parties.
  • Compromised devices and user credentials could be used as an entry point into an enterprise network or a pivot point within an enterprise as part of a larger attack seeking access to high-value enterprise assets.
  • A device that is compromised and taken over by the attacker could be used to impersonate the user, get the user’s personal information, take over the user’s accounts via password reset mechanisms, monitor user activities on the device including location/voice/video, change critical data such as a bank account number during a financial transaction, attack other devices, destroy the personal data on the device such as photos/videos/address books, exhaust resources such as battery, or render the device and associated data unusable.

 

Which types of enterprise or industries would require stronger device security and added security services?

Industries that allow their sensitive and critical data either to be stored or processed on the devices, or to be accessed on the enterprise network from the device to perform high-impact transactions, require additional security protections and services. These security capabilities are driven by the threat landscape and compliance requirements (e.g., HIPAA, FISMA, PCI, NERC/CIP) if the industries are regulated. For example, the business process disruptions, fines and loss of reputation impact the way the enterprise achieves its business objectives. Understanding the criticality of the data and associated impact and applying a business risk management process help the organization determine the type of security capabilities that are adequate to protect the enterprise’s applications and data on BYOD devices.

Subscribe to Security Magazine

Recent Articles by Claire Meyer

Product Spotlight on Guarding Tools and Equipment

Product Spotlight: Access Control

Product Spotlight: Parking Lot & Garage Security

Product Spotlight on SOC Technology and Furnishings

The Most Influential People in Security 2018

Claire Meyer is a former Managing Editor for Security magazine.

Related Articles

Reducing Risk: How to Make BYOD Safer

Mind Your Own Business Act Holds Corporations, Executives Accountable with Steep Fines, Jail Time

Bringing Different Backgrounds to Your Intelligence Team

You must login or register in order to post a comment.

Report Abusive Comment

Subscribe For Free!
  • Print & Digital Edition Subscriptions
  • Security eNewsletter & Other eNews Alerts
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Popular Stories

Dispelling the Dangerous Myth of Data Breach Fatigue; cyber security news

Major Retailer Macy's Is Hacked

server room, cybersecurity, penetration testing,

Explained: Firewalls, Vulnerability Scans and Penetration Tests

cyber network

How to Achieve Cybersecurity with Patience, Love and Bribery

cybersecurity-blog

European Hotel Group Suffers Data Breach Impacting 600,000 Hotels Worldwide

cyber5-900px.jpg

Cybersecurity Workforce Needs to Grow 145% to Close Skills Gap

SEC2019_Everbridge_1119_360x184customcontent

Events

December 17, 2019

Conducting a Workplace Violence Threat Analysis and Developing a Response Plan

There are few situations a security professional will face that is more serious than a potential workplace violence threat. Every security professional knows and understands that all employers have a legal, ethical and moral duty to take reasonable steps to prevent and respond to threats of violence in their workplace.
January 23, 2020

The Value of a Unified Approach to Critical Event Management

From extreme weather to cyberattacks to workplace violence, every organization will experience at least one, if not multiple, critical events per year. And in today’s interconnected digital and physical world, the cascading safety, brand, and revenue impacts of critical events are more severe.
View All Submit An Event

Poll

Emergency Communications

What does your enterprise use to communicate emergencies to company employees?
View Results Poll Archive

Products

Effective Security Management, 6th Edition

Effective Security Management, 6th Edition

 Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics. 

See More Products
SEC500_250x180 clear

Security Magazine

SEC-December-2019-Cover_144px

2019 December

This month, Security magazine brings you the 2019 Guarding Report, featuring David Komendat, Boeing CSO, and many other public safety leaders to discuss threats and solutions for 2020 and security officer training. Also, we highlight Hector Rodriguez, Director of Public Safety and Security at Marymount California University, CCPA regulations, NIST standards, VMS and much more.

View More Create Account
  • More
    • Market Research
    • Custom Content & Marketing Services
    • Security Group
    • Editorial Guidelines
    • Privacy Policy
    • Survey And Sample
  • Want More
    • Subscribe
    • Connect
    • Partners

Copyright ©2019. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing