How BYOD Is Impacting Insider Threats
Gartner believes that by 2021, 27% of corporate data traffic will bypass perimeter security (an increase from 10% today) and flow directly from mobile and portable devices to the cloud. In other words, data and device protection is becoming more complicated for your IT team.
BYOD Use Adds to Insider Threat Potential
Your employees are likely using a personal device to access their work email. Maybe they’re transferring corporate information to a personal cloud storage location (another type of personal ‘device’). If they’re working from home, they might be using their home computer.
Every one of these use cases has the potential to poke a hole in your security process and result in a breach. Whether the insider threat is due to negligence or malicious intent, BYOD use provides more opportunities for insiders to introduce risk.
An Ovum study found that 79% of employees in high-growth markets believe the constant connectivity associated with BYOD enables them to do their jobs better. Over 17% of survey respondents who bring their own devices to work claim that their employer’s IT department has no idea about this behavior, and 28.4% of IT departments actively ignore BYOD behavior.
What Challenges Does BYOD Present?
Here are some of the challenges arising from BYOD use:
- Physical security: It’s very easy for portable items such as tablets, laptops, and smartphones to be lost or stolen.
- Untrusted status: The very nature of these devices means they’re often untrusted in terms of the device itself, the networks the device connects to, and the applications running on the device. Most people download applications from app stores and use mobile applications that can access enterprise assets without any idea of who developed the application, how good it is, or whether there’s a threat vector through the application back to the corporate network. In addition, there’s potential of interacting with other untrusted systems via tethering (using one mobile device to provide network access for another mobile device) and backup of corporate data to cloud storage solutions.
- Malicious content: These devices may access unsafe content in typical ways such as via phishing emails and in BYOD-unique ways (like interacting with QR codes that might link to malicious websites).
Ways to Mitigate Against BYOD Risk
You will probably be fighting a losing battle – and may negatively impact employee productivity – if you attempt to ban BYOD use. Instead, the key is to find a balance between risk and the reward of productivity benefits.
You must ensure the following three security objectives for the mobile devices that interact with your data and network:
- Confidentiality—ensure that transmitted and stored data cannot be read by unauthorized parties
- Integrity—detect any intentional or unintentional changes to transmitted and stored data
- Availability—ensure that users can access resources using mobile devices whenever needed.
Here are a few ways to meet these objectives
1.Craft a BYOD policy. The Ovum study found that only 20.1% of companies surveyed had signed a policy governing BYOD behavior. Companies without BYOD strategies outnumber those with signed policies. Your policy should cover what devices can be used and under which conditions; which employees are (or are not) eligible for BYOD, what kind of information should be accessed and stored, what stipulations you may apply to devices permitted for use, whether employees are eligible for reimbursement for BYOD usage and more. In addition, document your employees’ responsibility regarding what is permissible use, what applications can interact with corporate assets, loss reporting, and decommissioning of a device.
2.Determine accessible applications or networks. Decide which of your assets will be accessible to BYOD use, and use dedicated VPN networks to permit only the desired traffic to internal resources.
3.Invest in Mobile Device Management software. Tom Smith, of CloudEntr, recommends having MDM to give IT access to any devices that may access your business network along with the capability to revoke access or even wipe a device if it’s lost or stolen.
4.Implement two-factor authentication. This mitigates against unauthorized access in the event of device loss by ensuring that a thief can’t use a cached password to access sensitive data.
5.Use online monitoring software. This type of listening software allows you to monitor for large data transfers going out of the organization, whether by USB devices or via cloud services.
For more information, check out this NIST publication that provides guidelines for managing the security of mobile devices in your organization.