10 things you can do to boost your BYOD security

10 things you can do to boost your BYOD security

Summary: If you're going to allow users to bring their own devices, find out what you can do to maintain security and be a happier you. These ten security recommendations will help you do both.

SHARE:

To everything there is a season and this is the season of BYOD. Bring your own device isn't a particularly new phenomenon but it certainly is hotter now than ever before.

tablets-workers-byod

People have always smuggled in their own laptops and mobile devices into corporate networks. There's always a sympathetic IT guy around who will help the wayward BYOD renegade get setup to use corporate assets. But these days, it's a thing. You're now in the minority if you don't bring your own device into your corporate network. Some companies post FAQs on how to setup your chosen device to download email, connect to the VPN and to share documents with other users.

The one thing that's lacking in all this BYOD goodness is security. Security breaches aren't as rare as they used to be. The spread of malware has made sure that absolutely no one is immune and no platform is safe from malware hell. Windows users know this all too well. Android users are finding out quickly what it means to be paranoid about security. Apple users, once isolated from widespread malware attacks are now also on the receiving end of the security badness that affects us all.

If you think you're safe, you're wrong. If you think that you haven't been compromised in some way, you're probably also wrong. Security problems plague companies of all sizes and configurations. 

 

But you aren't helpless. Far from it. There are things you can do to minimize your attack surface--other than unplugging or going analog, that is. In fact, there are ten things that you can do to boost your BYOD security. This list of ten is in no particular order, except for the first one, which should be first on your list.

  1. Hire a security consultant who has mobile device security experience - 92% of all security breaches are discovered by third parties. A good security consultant will not only audit your security but he will also find any compromises that you may know nothing about.
  2. Setup MDM/MAM software to manage mobile devices and security - Mobile device management and mobile application management software is very sophisticated and can manage your security in very fine detail. Since there are so many different MDM/MAM vendors, get some recommendations from other companies and security consultants. Watch for a post on selecting MDM/MAM software coming soon.
  3. Require VPN connectivity for all devices - Requiring a secure connection into your network is standard practice. If it isn't in your company, make it so. Your security consultant should be able to guide you in selecting the VPN hardware and software that's right for you.
  4. Require device passwords - In what should be a "duh" moment, you'd be surprised how many people don't use basic password protection for their devices. If you don't know how to setup a device password, ask a teenager, they all know how to do it.
  5. Require device encryption - Before users store or access corporate data on their devices, they must use encryption software. Generally speaking, you can choose between data or device encryption. Data encryption means that any corporate data that you download to your device is stored encrypted. If you encrypt your device's storage, then anything that lands on the device will be encrypted. The difference is at the app level or at the device level. For example, you can store an encrypted file on an unencrypted filesystem or store a file (encrypted or unencrypted) on an encrypted filesystem. Either method has its strengths and weaknesses.
  6. Require anti-malware software - This is another almost obvious recommendation. You wouldn't setup a new laptop without antivirus software and you shouldn't setup a new mobile device without some sort of antimalware software. In fact, your MDM/MAM suite should check for antimalware software and either deny access for those devices without it or make a mandatory installation of corporate-approved antimalware software.
  7. Implement ACLs and Firewalls - Access Control Lists and Firewalls might sound complex but they aren't. Again, a good security consultant can get you setup or train your staff to lock down access to your valuable data and files.
  8. Audit data files - Your most valuable files should be audited. To audit a file means that any access to the file is logged. This includes automated access by service accounts or other processes such as SFTP.
  9. Setup alerts on logfiles - Related to #8. You should setup alerts on audit logs, system logs and event logs to notify security of any unauthorized or suspicious access attempts on files, shares or accounts. Often hackers will remove logfiles in an attempt to cover their activities. Checking for the existence of the logfile will alert you to this type of behavior as well.
  10. Limit app downloads to a single trusted site or internal app store - Legitimate app stores have some sort of rigorous approval process for apps. Part of the process is checking for malware. Some sites don't check or check as thoroughly as they should. Your best defense is to whitelist approved app stores for your users or to create your own internal app store from which your corporate users may select apps to use.

97% of all security breaches are preventable by employing basic (passwords, antimalware software) or intermediate (Firewalls, VPNs) practices. There's no excuse for allowing any low-hanging fruit to exist in your network. Regular security sweeps and audits will provide you with feedback on your status. Remember that the best security defense is that third party security consultant.

BYOD shouldn't be something to be afraid of. It should be something that's done to enhance a work environment. But don't let security issues destroy a good thing like BYOD. Do your part by educating your users and getting a good security consultant to assist you.

What do you think? Do you have other suggestions to help with BYOD security? Talk back and let me know.

See also:

 

Topics: Bring Your Own Device, Networking, Security

About

Kenneth 'Ken' Hess is a full-time Windows and Linux system administrator with 20 years of experience with Mac, Linux, UNIX, and Windows systems in large multi-data center environments.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

6 comments
Log in or register to join the discussion
  • Tell them to loverock Davidson he is the one needing help

    I know he spends all day long compiling his Kernal. Lovies says his kernel always seems to need compiling.....Lovie sure does love playing with his Kernal.......
    Over and Out
  • hummmmm

    "You're now in the minority if you don't bring your own device into your corporate network."

    Is there really a reason for me to do so?

    Last I checked, data plans work fine. No real need to use my business's network for my personal device.

    And to be honest, if you're making claims like that, you should really have some data to back up your claims.

    Anyhoo - if I really need a device for work, I'm likely to buy a separate device for it, and not use my personal device for work.

    I'm not terribly fond of having a lot of work baggage on a personal device. I want my personal device to be my freedom, not a slave to my workplace.

    And to be honest - having a separate device for work is far more secure than having both on the same device, so it's a security win for the business as well as a freedom win for me. So it's win-win.

    I'm not certain why I'd want it any other way. I don't see the advantage.
    CobraA1
  • No longer BYOD

    You do all that and impose these on a personal liable device, you might as well buy the hardware as you'll be lucky to get 2% of employees to allow this level of management.

    Tech Blogs have this weird fixation that BYOD is about choice of hardware when it's really about the desire to now have restrictions enforced on them and privacy concerns. I'd be will to accept a password and timeout but beyond that - provide me the mobile devices to use for work purposes as I'm not about the impact the performance of my device or be subject to audits by crazy security people (trust me I know these types).

    This is why secure container and virtual access (VDI, Citrix) are seeing huge adoption. Why would I want to encrypt my own content. Whats the process if I leave the company? Where's the seperation of their content and mine?

    It serves no purpose to stand up a BYOD program with these type of controls if you have little to no adoption.
    MobileAdmin
  • or you

    Could just go with a Blackberry 10 & most of your headaches are solved. I'm a admitted BB 10 fanboy but seriously it does kick some behind as a BYOD
    gordongr
  • And the only thing you need to do is ....

    ... don't allow it. It is a waste of resources with little to no benefit while exposing the company to an unlimited number of legal liabilities.
    wackoae
  • There's just one problem...

    Right now, BYOD right now is a all or nothing proposition. Nearly all the controls you mentioned would require the company to basically take over the device. I don't want my tablet or phone slowed down by some malware or anit-virus software when it unrelated to the company. Not to mention the effect on the device battery. Remote wiping is another area that would need to be wall-garden.

    These problems really need to be address at the OS and device management level but its a much tougher problem to solve because how far do you go.
    windowseat