To everything there is a season and this is the season of BYOD. Bring your own device isn't a particularly new phenomenon but it certainly is hotter now than ever before.
People have always smuggled in their own laptops and mobile devices into corporate networks. There's always a sympathetic IT guy around who will help the wayward BYOD renegade get setup to use corporate assets. But these days, it's a thing. You're now in the minority if you don't bring your own device into your corporate network. Some companies post FAQs on how to setup your chosen device to download email, connect to the VPN and to share documents with other users.
The one thing that's lacking in all this BYOD goodness is security. Security breaches aren't as rare as they used to be. The spread of malware has made sure that absolutely no one is immune and no platform is safe from malware hell. Windows users know this all too well. Android users are finding out quickly what it means to be paranoid about security. Apple users, once isolated from widespread malware attacks are now also on the receiving end of the security badness that affects us all.
If you think you're safe, you're wrong. If you think that you haven't been compromised in some way, you're probably also wrong. Security problems plague companies of all sizes and configurations.
But you aren't helpless. Far from it. There are things you can do to minimize your attack surface--other than unplugging or going analog, that is. In fact, there are ten things that you can do to boost your BYOD security. This list of ten is in no particular order, except for the first one, which should be first on your list.
- Hire a security consultant who has mobile device security experience - 92% of all security breaches are discovered by third parties. A good security consultant will not only audit your security but he will also find any compromises that you may know nothing about.
- Setup MDM/MAM software to manage mobile devices and security - Mobile device management and mobile application management software is very sophisticated and can manage your security in very fine detail. Since there are so many different MDM/MAM vendors, get some recommendations from other companies and security consultants. Watch for a post on selecting MDM/MAM software coming soon.
- Require VPN connectivity for all devices - Requiring a secure connection into your network is standard practice. If it isn't in your company, make it so. Your security consultant should be able to guide you in selecting the VPN hardware and software that's right for you.
- Require device passwords - In what should be a "duh" moment, you'd be surprised how many people don't use basic password protection for their devices. If you don't know how to setup a device password, ask a teenager, they all know how to do it.
- Require device encryption - Before users store or access corporate data on their devices, they must use encryption software. Generally speaking, you can choose between data or device encryption. Data encryption means that any corporate data that you download to your device is stored encrypted. If you encrypt your device's storage, then anything that lands on the device will be encrypted. The difference is at the app level or at the device level. For example, you can store an encrypted file on an unencrypted filesystem or store a file (encrypted or unencrypted) on an encrypted filesystem. Either method has its strengths and weaknesses.
- Require anti-malware software - This is another almost obvious recommendation. You wouldn't setup a new laptop without antivirus software and you shouldn't setup a new mobile device without some sort of antimalware software. In fact, your MDM/MAM suite should check for antimalware software and either deny access for those devices without it or make a mandatory installation of corporate-approved antimalware software.
- Implement ACLs and Firewalls - Access Control Lists and Firewalls might sound complex but they aren't. Again, a good security consultant can get you setup or train your staff to lock down access to your valuable data and files.
- Audit data files - Your most valuable files should be audited. To audit a file means that any access to the file is logged. This includes automated access by service accounts or other processes such as SFTP.
- Setup alerts on logfiles - Related to #8. You should setup alerts on audit logs, system logs and event logs to notify security of any unauthorized or suspicious access attempts on files, shares or accounts. Often hackers will remove logfiles in an attempt to cover their activities. Checking for the existence of the logfile will alert you to this type of behavior as well.
- Limit app downloads to a single trusted site or internal app store - Legitimate app stores have some sort of rigorous approval process for apps. Part of the process is checking for malware. Some sites don't check or check as thoroughly as they should. Your best defense is to whitelist approved app stores for your users or to create your own internal app store from which your corporate users may select apps to use.
97% of all security breaches are preventable by employing basic (passwords, antimalware software) or intermediate (Firewalls, VPNs) practices. There's no excuse for allowing any low-hanging fruit to exist in your network. Regular security sweeps and audits will provide you with feedback on your status. Remember that the best security defense is that third party security consultant.
BYOD shouldn't be something to be afraid of. It should be something that's done to enhance a work environment. But don't let security issues destroy a good thing like BYOD. Do your part by educating your users and getting a good security consultant to assist you.
What do you think? Do you have other suggestions to help with BYOD security? Talk back and let me know.