X
Tech

How to write a good security policy for BYOD or company-owned mobile devices

Find out the best way to keep smartphones and tablets safe from hackers and the dangers of public wi-fi and USB ports.
Written by Teena Maddox, Contributor
BYOD
Image: iStockphoto/g-stockstudio

Mobile devices are among the most vulnerable tech items we own, because they're easily exploited and can be quickly compromised by hackers.

It's essential for a company to have a solid security policy in place for mobile devices, be they bring-your-own-device (BYOD) or company-provided. Allowing employees the option to buy their own devices can save a company money, and employees can benefit from the familiarity of using their own smartphone or tablet. But it does open up a company to security risks.

According to Tech Pro Research's Scott Matteson, "Since employees use their devices for personal and/or recreational activities, this can pose more risk for the organization than the exclusive use of business-owned devices."

CBS Interactive -- parent company of ZDNet, TechRepublic, and Tech Pro Research -- has created a list of best practices for securing a mobile device for its employees:

  • Keep the software up to date
  • If you lose it or it's stolen, report it immediately
  • Use a secure PIN
  • Don't connect to public wi-fi networks
  • Backup your device
  • Encrypt your device

Download now: Mobile device computing policy (Tech Pro Research)

The greatest risk comes from BYOD devices, according to Dr Engin Kirda co-founder and chief architect of malware protection provider Lastline.

"It is important to make sure that BYOD devices can only be used in so-called 'demilitarized zones' within the organization. That is, the devices should not be able to directly access sensitive resources, and access should only be allowed to some organizational resources through VPNs. It is also important to be able to monitor the use of such devices through the network, and keep track of when, where, and how these devices connect," Kirda said.

Galina Datskovsky, CEO of Vaporstream, said, "In order to reap the benefits of BYOD while mitigating physical and digital security risk, corporate leaders and risk managers must provide a BYOD Acceptable Use Policy that specifies how employees can use their own devices to access and process corporate data. This policy should also include which specific applications may be used to share or discuss corporate information."

Datskovsky added, "Most importantly, company leadership must hold their employees accountable for following such policy. With 90 percent of all cyberattacks beginning with phishing, organizations are under constant threat of complex attacks targeting employees that can easily bypass gateways and land in email or text inboxes. Since employees use their devices for email and text to conduct business, a secure messaging strategy must be considered an essential component to any BYOD initiative."

Company-owned devices are easier to secure, since the organization can control them.

"For example, the company can make sure that these devices are not rooted, and can also check which programs the user has installed and is running on the company-owned system. There is also the option of installing security software (such as endpoint monitoring agents) on these company-owned devices," Kirda said.

Datskovsky said, "It is more manageable to secure company-owned devices than it is to secure devices used via BYOD policies. Through the use of mobile device management (MDM), IT departments can limit the application and program options that employees can use in order to restrict downloads, block websites and monitor network traffic for suspicious activity. To keep corporate-owned devices protected from potential security threats, IT departments must ensure that all applications offered on company-owned devices are secure, meet compliance standards and offer encryption. Policies must also be in place to help ensure proper use by employees to protect from the ever-changing hacking landscape."

Some of the potential problems stem from rogue wi-fi in public venues, since a typical user can't easily determine whether the network is authentic and belongs to the organization.

"We have seen attacks in the past where rogue wi-fi routers have played an important role. Such attacks can sometimes take place if the device automatically connects to known networks. By automatically deactivating wi-fi when the device is not in use, such automatic connections can be prevented. Also, the user can be encouraged to create profiles that are used based on the physical location of the device. User awareness and education is also a very important component when it comes to BYOD type of work environments. With great power comes great responsibility," Kirda said.

Larry Lunetta, vice president of marketing for security solutions for Aruba, a Hewlett Packard Enterprise company, said, "Rogue clients and ad-hoc networks add to a company's risk profile. One possible solution is to utilize intrusion prevention system (IPS) functionality built into the network infrastructure itself. Clear policies for rules and network traffic, paired with an alerting detection system, give network administrators information and options to react.

Lunetta added, "We also counsel organizations to create public wi-fi safety measures. Using public and open wi-fi is fraught with risk and any devices that have connected to these networks can easily bring malware into an organization's network. This is another area where focused IPS functionality can aid in the detection of odd network behavior."

Another potential problem is public USB ports, since many attacks can be launched over USB.

"In a secure environment, public USB ports are often disabled so that an attacker cannot launch a physical attack (for example, by attaching a fake keyboard), or booting a version of Linux that has been specifically-created for launching attacks," Kirda said.

George Avetisov, CEO of HYPR, said, "Public USB ports are a security no-no and should be avoided. A USB port is a common delivery method for malware and that is why internal security policies at enterprises often disable USB ports on company-owned devices. Some companies actually ban USB sticks entirely and may even reprimand employees for bringing them in."

And then, there is the risk from broken or lost mobile devices.

Lunetta said, "If a mobile device is broken or lost, endpoint and MDM solutions can help. Whether installed on a BYOD or a company-owned device, these platforms can provide fencing around work-related emails and documents. These platforms also offer the ability to push a remote system wipe, as a last resort, should a device with confidential or sensitive files go missing. With BYOD, network administrators can only impact company owned information such as e-mails or documents delivered through work systems. With company-owned devices, the entire device can be wiped remotely, removing all data and access."

Also see

Researchers find 29 types of USB attacks, recommend never plugging into a USB you don't own (TechRepublic)
If you ever find a lost charger, don't use it. If you need power and are tempted to plug into a public USB port, don't do it.

Google launches enterprise Android device recommendation program, omits Samsung
Google's Android Enterprise Recommended program includes a big chunk of the Android device field, but omits Samsung. Here's a look at Google's requirements.

Samsung Knox could solve your BYOD security woes (TechRepublic)
Samsung Knox can partition Samsung smartphones into personal and business sections, keeping sensitive data safe.

Mobile device computing policy (Tech Pro Research)
Mobile devices offer convenience and flexibility for the modern workforce -- but they also bring associated risks and support issues. This policy establishes guidelines to help ensure safe and productive use of mobile devices by employees, along with recommendations for IT pros responsible for administering and supporting those devices.

Editorial standards