Before you go searching for technology solutions, there are several basic notions that can go a long way toward strategies that work to make corporate data more secure. Here are five assumptions IT professionals can keep in mind when devising strategies to meet BYOD’s threat to corporate data, user identities and intellectual property.
1. the worst! Don’t hire a penetration tester. Save your money and assume “they” will get in – 75 percent of organizations have suffered data loss from negligent or malicious insiders.
2. employees will use their personal devices on the corporate network, even if they are told not to. More than 50 percent of employees use portable devices to take confidential data out of their companies every day. Before you end up with a problem on your hands, use products, available today, to block the ones you’re not willing to have around, whitelist the ones you feel comfortable with, and where data is critical both encrypt it and audit its movement.
3. that your employees value convenience more than security. If a security policy is overly cumbersome or inconvenient, employees will find a way around it. Don't underestimate the ingenuity of employees looking to circumvent procedures that slow them down. So, make the easy path the safe path. The last thing you want to do is prevent use of all personal devices: Soon users will find a workaround, like using phones to take pictures of documents to allow work at home. If you try to control too much, the intial problem slips through your fingers and creates a much bigger problem.
4. that flash drives will be lost and IT will never know. Losing a $10 flash drive can be even worse than losing a laptop. Stolen or lost laptops are reported; $10 flash drives are quietly replaced. According to the Ponemon Institute National Study of Data Loss Breaches in 2010, missing devices cause 42 percent of security breaches. Use encrypted flash drives or don't use them at all. Right now only 35 percent of companies enforce data encryption on company issued devices.
5. that an organization's first and last defense against a security breach is its own employees. Training employees on good security practices offers the most bang for the buck. According to the Ponemon Institute National Study of Data Loss Breaches in 2010, negligent employees cause 16 percent of security breaches. Everyone should learn how to recognize phishing attacks and fake anti-virus software advertisements – if it looks too good to be true, it really is. Also, oftentimes the most obvious ways to protect are the best ways. Everyone should have strong passwords that only they know on their devices. According to research done by SplashData, the most popular password in 2011 was “password”—that certainly is not a formidable protective shield for securing sensitive corporate data.
In order to embrace BYOD, security policies should be formulated based on these assumptions. IT security staff need to implement policies, and provide secure devices and management solutions that make the easy path the secure path. Taking advantage of the brave new world of user mobility doesn’t have to mean losing control.
Scott Ashdown is Director of Products and Solutions for Imation Mobile Security.