Could your BYOD system be a threat to your business?

Originally published by Beta News.

Nowadays, practically everyone is connected to the Internet at home, in the office and on the move. This has introduced fantastic opportunities for businesses and employees to operate smarter. Bring Your Own Device (BYOD); the concept of allowing employees to work in the office or remotely using their own devices, rather than company owned, has been around for a while now and really makes the most of this ‘personal device era’. It’s convenient for employees to use their own devices, reduces burden on IT admin and saves Capex costs for the business. But, could BYOD end up being the company’s biggest threat?

Employees now have the opportunity to use their own personal devices for work purposes. The thought behind this is that employees are already familiar with their own devices and already have them on hand at all times. BYOD is generally a good thing, but it is not without its challenges and concerns. Like any new development, the risks need to be evaluated. But, in theory, team members will be more productive and happier at work with a BYOD scheme in place.

Some pressing concerns

The areas of highest concern within the enterprise are: data leakage and loss, unauthorized access to company data and systems, downloading unsafe apps or content and malware.

BYOD has been around for a while, however, there are no universal set of guidelines for employers and employees to work too. But there are some best practices that security experts recommend.

My personal view is that the most pressing concerns with BYOD are those of network and security stability. Keeping your company’s private and sensitive data secure is one of your IT department’s biggest responsibilities and BYOD adds a new dimension to this ongoing struggle. As the workforce becomes more reliant on mobile devices, the floodgates of data leakage and threats open up, resulting in an even greater reliance on the IT department to secure mobile devices.

According to the Crowd Research Partners BYOD & Mobile Security 2016 Spotlight Report, it finds that: 72 percent of respondents are concerned with data leakage and loss, 56 percent with unauthorized access to company data and systems, 52 percent with downloading unsafe apps or content by users and 52 percent with malware.

Mobile phones and tablets are the weakest link when it comes to security and are prone to attacks. They also require regular patch updates, with the responsibility for these falling on employees. That leaves the impetus on organizations to implement policies and procedures that help employees keep their devices secure.

With employees carrying their devices all of the time, this means that these devices also have access to their employer’s network and secure data — all the time. This means that a lost or stolen device is a potential threat. It also means that any malicious program hiding on a personal device now also has access to your company’s network and data. All it takes is one infected device to compromise the integrity of your network and data security. Through BYOD, CIOs can have less control over the mobile devices used in their organization, which ultimately means they are more vulnerable to attacks.

The Crowd Research Partners research also mentioned the threat of employees downloading mobile apps — this I agree with. Employees can use these apps to connect to external Wi-Fi spots without having the correct security protocols in place. This creates serious security holes that can be exploited by hackers.

Coupled with the fact that your employees might not have anti-virus protection or have an up to date firewall present on their mobile devices, means they are more vulnerable to attacks. To prevent viruses from spreading, it is important that there is a gatekeeper like a VPN, which grants access by verifying that the data being transferred from the mobile device to your IT network is encrypted and permitted.

What can you do?

You must create a strategy for BYOD with a business case and a goal statement. As technology continues to advance and change the way we live and work, building a smart, flexible mobile strategy will allow companies to explore innovative ways to empower their workforce and drive greater productivity.

In addition, you must secure devices and apps by implementing an MDM solution, or other container-focused management utilities that will greatly help your organization in managing and securing the devices. The policies on the devices or within managed containers should be defined by the risk assessment.

You can also complement end-user and administrative security with more extensive network safety: the creation of multiple virtual routing and forwarding (VRF) and virtual switching instance (VSI) environments on the same physical infrastructure allows separate virtual LAN (VLANs) for traffic segregation, i.e. trusted vs untrusted traffic. This way, a BYOD smartphone can be contained on a VRF for user-owned devices, and any malware that may intrude upon it can be kept from infecting the most trusted environment that’s reserved for corporate-issued systems.

Here are steps you can take to ensure that information security won’t be needlessly impaired by the use of employees’ devices:

  • Make sure users register their devices with your IT security professionals
  • Require employees use PINs, passwords or patterns for data access
  • Implement handset’s device-level encryption
  • Set company guidelines, user policies and provide training
  • Create enterprise-wide BYOD policies

Getting clever about BYOD

Making BYOD a success requires organizations to intelligently detect nefarious activity, like APTs, that enter the corporate environment courtesy of user-owned smartphones and tablets.  Network behavioral analysis and machine learning solutions that monitor network activity and adapt to changing threat conditions are a wise investment in supporting BYOD initiatives.

With data loss, unauthorized access and malware are just some of the concerns around BYOD, you must make sure all devices are registered, device-level encryption is installed and user policies are established. Educating employees on how to protect their devices and ensuring they are configured in line with security policies ensures that even the basic security precautions are adopted.

One thing is for sure: There’s no time to waste getting more done. Citing BYOD as a driver of innovation, as well as device and service cost savings, Gartner has predicted that by next year, half of all businesses will require workers to use a personal device for work.

In the News: The future of conflict is in cyberspace (The Sunday Times of London)

Quoted in the Sunday Times article The future of conflict is in cyberspace by Davey Winder:

The US Cyber Command response was to launch attacks against cyber communication channels and drone-strikes against human targets in Syria thought to be linked with the group. It’s now known that the Cyber Caliphate was a false-flag operation run by APT 28, a Russian state-sponsored hacking group.
“Once an organisation’s techniques and fingerprint are known, it’s relatively trivial for other organisations to emulate it,” says David Venable, former US National Security Agency intelligence officer and now vice president of cyber security at Masergy. It’s a huge danger, Mr Venable insists as “the use of this information to impact the foreign policies of other states is extremely likely, especially with regards to states with sophisticated cyber operations”.

In the News: Blackhat EU: Breaking Big Data (SC Magazine)

SC Magazine recently did a feature on Dave’s Blackhat EU Briefing: Breaking Big Data.

Former intelligence officer David Venable gave a crowd at Blackhat EU 2016, a rundown of what big data, and bad data in the private sector could mean for your privacy.

David Venable spent time as an employee of the National Security Agency
David Venable spent time as an employee of the National Security Agency

“Privacy as we know it is dead”, said David Venable of Masergy Communications, as he began his talk, Breaking Big Data: Evading Analysis of the Metadata of Your Life at BlackHat Europe 2016.

In the News: Anti-ultrasound tech aims to foil the dog-whistle marketeers (The Register)

Featured in The Register article, Anti-ultrasound tech aims to foil the dog-whistle marketeers by John Leyden:

On a similar theme, former NSA analyst David Venable, now vice president of Masergy, gave a presentation on the advertising industry’s use of the Big Data technologies pioneered by intelligence agencies and governments.

Venable outlined techniques to prevent selected activities from being associated with someone’s true persona, with a focus on making the true persona blend in with the masses. Going off the grid need not be the answer, and in any case might make someone stand out more, Venable told El Reg.

“Bad data can lead to bad decisions,” he said. “Biased algorithms reflect the biases of creators, which is why you might want to avoid them.”

Venable’s idea is to rethink operational security principles, which normally involve staying under the radar of government agencies and the police, to avoid motor insurance providers and credit reference agencies. “It’s about choosing what information you reveal and mindfulness,” he said.

Part of this involves thinking about the apps installed on a smartphone, as well as more subtle defences such as keeping a phone in another room in case an app is recording audio. Venable does not, however, advocate keeping smartphones in the refrigerator before taking meetings, as per Edward Snowden. ®

In the News: The Rise and Rise of Ransomware (SC Magazine)

Quoted in the SC Magazine article The Rise and Rise of Ransomware by Davey Winder:

It’s an attractive threat sector for many reasons. Number one, persistent attacks can be avoided. “Ransomware that encrypts all the data and destroys local backups before asking for a lump sum payout,” Dave Venable, VP of cyber security at Masergy told SC, “lets hackers avoid the higher costs and labour of maintaining the infrastructure of persistent attacks.”