BYOD Security: Expert Tips on Policy, Mitigating Risks, & Preventing a Breach

Despite all of the security risks BYOD poses to an IT environment, the trend of businesses embracing bring your own device in the workplace continues to grow at a rapid pace.

Some of the main reasons companies of today are so accepting of BYOD in the workplace usually relates to employee satisfaction and increased productivity: employees who are permitted to use their own devices in the office are generally more satisfied and some 43% of employees connect to their emails on their smartphones in order to get ahead and ease their workload.

Since it seems that BYOD is quickly becoming the new standard in workplace technology rather than an exception, we wanted find out how companies who are already investing in a BYOD workplace, or are planning to do so in the near future, are keeping their data secure. To do this, we asked 30 data security experts to answer this question:

"How can companies keep data secure in a BYOD environment?"

See what our experts had to say below:

Tom Smith

@CloudEntr

Tom Smith is the VP of Business Development of CloudEntr, a Gemalto product that allows a simple and secure way for businesses to access the cloud. He has over 30 years of experience with security, mobile, and cloud technologies including founding executive roles at four technology companies. In his current role as VP Business Development and Strategy, CloudEntr at Gemalto, Tom is helping define and execute Gemalto's identity and access initiatives in the cloud.

Just when IT departments thought they had the local network locked down and somewhat secure, BYOD reared its head and introduced a litany of unforeseen challenges. The first step in keeping your business safe in the age of BYOD is...

To encrypt the data itself so you are prepared for the inevitable breach.

Beyond that, you should have a BYOD policy in place that includes mobile device management (MDM), which gives IT access to any devices that may access your business network along with the capability to revoke access or even wipe a device if it is lost or stolen, and outlines policies and protocols for accessing company data from remote locations.

Companies often restrict remote access to sensitive data by device-specific identifiers such as the MAC address. Furthermore, it is important to provide an identity access management (IAM) solution to your employees that offers two-factor authentication. By mandating using more than a single factor for authentication, you can be assured that an employee's device hasn't simply fallen into the wrong hands with a cached password granting the device holder access to your sensitive data.

Alastair Mitchell

@alimitchell

Alastair Mitchell is President, CMO & Co-Founder of Huddle, the enterprise content collaboration platform. Huddle is Alastair's third internet start-up, and one which he founded with Andy McLoughlin as he was frustrated by existing enterprise technology's inability to help people work together. Spending millions of dollars on a SharePoint implementation, only to watch it fail dismally, was the final straw. As a result, Huddle was born. Since setting up the company in 2006, Alastair has grown Huddle to around 170 people in London, San Francisco, New York, and Washington D.C., raised $86 million in funding and seen sales double year on year. In his roles of President and CMO, Alastair is focused on scaling Huddle's global brand and market impact.

This is my advice to companies working in a BYOD environment who need to keep their data secure...

Companies need to wake up and realize they're facing a massive security issue and risk having their intellectual property walk out of the door with people. There's a huge amount of information available in enterprise content stores and knowledge workers are struggling to find ways to access, work on and share this with everyone they need to. Failed by legacy technologies, which were designed to keep content locked inside an organization, employees are looking for easy ways to access what they need.

This has resulted in free-for-all use of personal cloud services, external hard drives, smartphones and USBs, turning the enterprise content store into a giant, unruly jigsaw puzzle. With people busily stashing data all over the place, companies simply have no idea where their content is kept. Information needs to be stored centrally so that everyone with permission can access it, regardless of whether an employee has left the company.

Stephen Pao

@Cuda_Spao

Stephen Pao serves as General Manager, Security Business, at Barracuda Networks, where he is responsible for strategic product direction, definition, program management, and development for all of the company's security products. The Security Business brings together Barracuda's content security, network security, and application security product portfolio, as well as the Barracuda Central content team. He has more than 20 years of experience in high growth technology companies based in both Seattle and the Bay Area.

At Barracuda, a lot of our end users are embracing BYOD, so we have some tips/best practices for welcoming personal devices into the network environment and how companies can be flexible without compromising resources. It is important to note that BYOD environments bring a number of security challenges that organizations need to be aware of:

• Increased exposure to malware and infections due to lack of control and visibility into personal devices.
• Data leakage becomes a primary concern as these personal devices now have access to sensitive corporate data.
• General IT supportability of BYOD environments is difficult due to the large variation of personal devices, platforms, operating systems, etc.

Today, so much messaging is happening over collaboration applications, such as Skype or iMessage, that use transport encryption that is not easily intercepted, and most organizations are not set up to regulate their usage. Even social applications, such as Twitter direct messaging, Facebook Messenger, and LinkedIn inMail, which are easier to regulate, are often allowed for business communications, leaving organizations in a place where they might not strictly comply with their own information management policies.

Here are a few tips for what organizations can implement to mitigate the risk and challenges of supporting BYOD policies. Mobile Device Management solutions should work closely with organizations' wireless and security infrastructures to:

• Offer a secure and reliable internet experience
• Help manage device and application settings to ensure data integrity and security
• More easily distribute corporate network settings (proxy, WiFi, Exchange, etc) to personal devices upon enrollment
• Be sure to have strong passwords and encrypt sensitive data when sharing with colleagues
• Set strong application control policies (this could be blocking Facebook Chat/games, Skype video, etc.).

Klaus Brandstatter

@HOBsoft

Klaus Brandstatter is Managing Director of HOBsoft, a German software company and market leader in secure remote access solutions.

In order to protect against the many security risks involved with operating in a BYOD environment, managers must...

Acknowledge the rationale and benefits associated with granting employee access from mobile devices, as well as implement a comprehensive security strategy in order to allow it.

For instance, IT security managers can provide a company-issued mobile app that uses an encrypted connection to communicate directly with corporate servers, granting employees a convenient, user-friendly mechanism for secure remote access. Such an app could, for example, connect the mobile client with a Microsoft Exchange Server, thus granting the user access to their emails, calendar, contacts and notes. For maximum security, only data that is immediately required for the display should be sent to the mobile device.

Also, the data should only be loaded into the main memory for as long as the application is active. Once it is terminated, none of this data will remain on the device. In the event that the device is stolen or lost, there is no risk for a data breach, since the data remains hosted on the corporate server, and not the device. A company-issued mobile app can also prevent unauthorized access by requiring a login and password.

The business benefits of implementing a BYOD policy abound: elimination of the overhead costs associated with providing employees with and powering multiple company devices as well as increased employee flexibility and workflow coupled with the ability for employees to work remotely. But with these benefits, corporate data becomes vulnerable, which is why companies with BYOD policies should also implement secure remote access solutions.

Businesses with BYOD policies should also instate secure remote access policies, only permitting employees to access corporate data through an encrypted SSL or IPsec connection. Due to strong encryption algorithms and modern authentication methods, these solutions are a surefire way to keep corporate data safe in a BYOD environment.

Mike Meikle

@Mike_Meikle

Mike Meikle is Partner at SecureHIM, a security consulting and education company that provides cyber security training for clients on topics such as data privacy and how to minimize the risk of data breaches. Mike has worked within the information technology and security fields for over fifteen years and speaks nationally on risk management, governance and security topics. He has presented for Intel, McAfee, Financial Times, HIMSS and for other Fortune 500 companies. He is also a published writer with articles that have appeared in American Medical News, CNBC, CIO Magazine, Los Angeles Times and Chicago Tribune. He holds a Certified Information Systems Security Professional (CISSP), a Project Management Professional (PMP) and Six Sigma Green Belt.

Securing data in the cloud can be problematic, before the added complexity of managing the data on a mobile device. However, mobile platforms (phones, tablets, etc.) are becoming the access point of choice for the enterprise and so this issue needs to be addressed swiftly. Whatever solution the enterprise implements for data security it should follow the security principles of...

Confidentiality, integrity and availability.

Data confidentiality entails the protection of sensitive information from unauthorized users. Data integrity encompasses changes to the data and the identification of the individual or system that changed it. Availability is whether or not the data can be accessed by users or systems when required.

There are some standard security technical controls that can be implemented to protect data in the cloud. Mobile device or mobile application management (MDM/MAM) software installed on the user's mobile device is a good first step in securing and controlling sensitive corporate data in the cloud via a mobile platform.

On the risk management process side, organizations should know what is riding on their network and accessing their applications. With appropriate asset, network, log and mobile device management controls this would be a relatively "easy" process. However, certain industries – healthcare and government for example – lack a certain IT maturity level that other industries take for granted (see financial). Establishing proper asset and data management processes and procedures should be a high priority for industries with sensitive information.

One of the biggest offenders to data security is email, especially if companies use a cloud-based service. Sensitive data contained within emails is bounced around multiple servers where copies of this data can be stored. Utilizing an encrypted email client is a cost effective way of reducing the risk of a data breach via email.

Unencrypted emails, chat and photos present a large risk when stored on a mobile device. When the device is lost, which happens often, then this information could be extracted. Having the right controls (technical and risk management) for your enterprise mobile device infrastructure is key.

Simon Specka

@ZenMate

Simon Specka is CEO of ZenMate, an internet privacy protection service which has been downloaded over 8.5 million times in 180 countries since 2013. As a global citizen and frequent traveler he experienced the annoyance of restricted internet first hand. Simon is passionate about great user experience and likes to think outside the box to develop new solutions for unsolved problems. With a broad background in international business and innovation management as well as a liking for technology he is able to develop and execute all business related aspects of the startup.

As the workforce gradually moves towards BYOD, the safest way to protect any company data is...

To secure the online connection through encryption.

Companies can use a VPN cloud-network tool that uses secure servers for online security and privacy. This allows companies to secure their data, including any app data, by replacing personal employee IP addresses with a generic IP address. This helps to block out any hackers that may attempt to steal company information through employee devices.

Johnny Lee

@forensicupdate

Johnny Lee is the Managing Director of Forensic, Investigative & Dispute Services at Grant Thornton LLP. He is a forensic investigator and attorney, specializing in data breaches and cyber security.

How can companies keep data secure in a BYOD environment?

The short answer to your question is through a thoughtful combination of people, process, and technology. There are also an exciting newer technologies, such as containerization, which are helping companies achieve BYOD security.

Michael Thorne

@BristleconeHold

Michael Thorne is CTO of Fintech company Bristlecone Holdings.

Keeping data secure in a BYOD environment starts with...

Implementing and enforcing a company policy surrounding personal electronic devices.

It's easy to put in writing what shouldn't be done, but actually holding employees to those policies can be difficult. This is especially true for an organization transitioning from seed or start-up to growth stage, as more often than not security is overlooked or exchanged for speed and convenience. That policy should help educate employees on best practices regarding company data security. Devices' lock screens should be password and/or biometrically secured. Devices should not be "jail-broken" or otherwise compromised from their original state. Software and apps should be kept up to date with the latest security patches and OS upgrades. Only trusted software from reputable sources should be installed.

Data security isn't necessarily just about keeping the intentionally malicious users at bay, it's also about protecting your data against the users who have inadvertently become carriers of "electronic disease." One way to help is to have three different layers of security for your network to limit access to sensitive data through different tiers: a public or guest network, a private intranet network and finally, if necessary, a secure and limited access network. The three can be fed from the same internet pipe, provided they all are behind a properly configured and robust firewall device. The "guestNet" provides a convenient place for visitors to have internet access as well as employees who have brought unauthorized devices from home.

Providing this type of access offers a convenient channel for people to get what they want (internet) without significantly compromising the company network just so someone can check their favorite social media. The private intranet network is where the majority of work is conducted, but is also only for devices that have appropriate authorization and meet more strict security standards. This means PCs and laptops authorized from a domain server as well as BYOD electronics that have some form of authentication software installed such as a mobile device management (MDM) suite.

The idea here is to make sure that the devices connecting to the network with more sensitive data are authorized to do so and meet some standard of authentication as well as virus, malware and spyware prevention and protection. The most secure data should be kept extremely limited and not accessible to BYOD devices. It should only be accessible through two-step authentication measures and should be user limited, IP restricted (if possible) and/or only available from behind secure VPN connections.

Steve Durbin

@stevedurbin

Steve Durbin is the Managing Director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber security, BYOD, the cloud, and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.

In order for organizations to keep data secure in a BYOD environment...

They need to determine their requirements and understand the risks associated with connecting employees' devices to the organization's infrastructure and allowing personal applications and cloud storage to co-exist with corporate data.

This risk assessment should be regularly updated, as hardware and software change. Organizations should also determine and communicate the intended and acceptable use of privately owned devices, specify which devices and operating systems are supported, and when new ones will be added. Staff must be assigned to manage the technical infrastructure and provide support to employees.

BYOD initiatives promise significant benefits, including improving productivity, attracting and retaining talents and reducing costs. But these business benefits will only materialize if the initiative is carefully managed by the organization. Organizations with the appropriate expertise, leadership, policy and strategy in place will be agile enough to respond to the inevitable security lapses. Those who do not closely monitor the shifts of BYOD could very well be left behind.

Dan Adams

@4NENS

Dan Adams is CEO of New England Network Solutions (NENS), a Managed IT Services company, and is a serial entrepreneur who ran his first retail operation at the age of 14. Dan is passionate about sharing his success strategies with fellow entrepreneurs and learning from their experiences. He founded NENS in 1993 and over the years, owned and managed several start-up companies. Over the years NENS has been repeatedly recognized by receiving industry awards such as CRN MSP 500, MSP Mentor list of top 250 MSPs and Ingram Micro's SMB 500.

Security is a business owner's number one issue when it comes to a BYOD environment, but many companies appreciate the benefits of providing employees with their best chance to be productive and flexible. This is why it is imperative to consider the following to keep your biggest asset [your data] secure:

1. Choose the right tools. Any old webmail service will do for personal use, but when running a business it pays to invest in a secure, business-class email service — especially if your company operates under a BYOD policy. But business-class email can be pricey, especially for a small business on a limited budget. A subscription to Microsoft Office 365 includes secure email for your employees, with ActiveSync support for every major mobile platform. It's one of the only cloud-based platforms, alongside Google Apps for Business that meets the minimum security-standards for usage by U.S. Federal Government agencies. It's affordable, too, at about $4 per employee per month. As a bonus, users gain access to the full Office 365 suite, which opens up secure, cloud-based syncing for your Office documents, calendar and more. Just last month, Microsoft announced they added Mobile Device Management (MDM) to Office 365. Google apps for business is a Cloud based service that can be used to securely access and coordinate business information, schedules and documents. Also highly regarded from a security standpoint and cost effective.
2. Create and enforce a BYOD Policy. Documentation and system processes are the key to relinquishing control over your data. Not only should companies create a full policy and share it regularly with their staff, but it also must be enforced and clearly understood at every level. It will live as an ever-changing document, so keep it live on something like a Wiki where other live documents live and update it when technology changes. 82 percent of BYOD are smartphones, which means it's very important to consider employee access to files outside of the workplace. What to include in your policy:
   • Rules for setting lock screens and passwords.
   • Limited connectivity to network.
   • Require use of VPNs and virtual desktops.
   • Enforce updates and patches.
   • Location tracking software.
3. Get back your old devices. Keep tabs on the locations of your outdated devices that may still have access to data. That means Scott from accounting's ten year old son should not be walking around school with an old company Smartphone. Have the person in charge of IT keep a live track of inventory and have him/her wipe devices clean before donating or tossing them. Technology is unique in that consumer behavior often leans towards customized and personalized devices over the mainstream. So, what does that mean to a business owner? Sally wants to use her iPhone 4 while Bob prefers his Android and they are collaborating on the same project. The good news is 49 percent of US IT Managers strongly agree that BYOD improves worker productivity [According a recent article: Insights on the Current State of BYOD article from Intel]. Leaders who allow a BYOD environment will come out on top, so long as they do their homework to cover their assets.
   • The company must know what devices are being used legitimately, so each device should be registered and authorized.
   • A PIN or pass phrase must be used to access the device.
   • The ability to remotely lock and wipe the device must be enabled.
   • Employees must report lost or stolen devices in a timely manner so that they can be locked and wiped.

• Do have policies that require employees to waive all liabilities in the event that the company remotely locks or wipes a device.
• Do have relevant acceptable use policies that also describe what is prohibited, such as using jailbroken devices.
• Do provide security awareness training about the risks associated with mobile devices and the importance of timely reporting of lost or stolen devices.
• Manage your company WiFi well. Ideally you have 4 WiFi's: corporate, employees, visitors and devices. Since every device will be connected to the network this is very important.
• Use SSO services like Okta to authenticate the user independent of the device used.
• Use apps that allow remote log out/management of the user login. For example there are apps which can be force-logged out from an admin dashboard.
• Understand which data is stored on the device before you deploy a new app. At my company we only do API calls and store nothing beneath login credentials on the phone. Our cloud serves as intermediate and can regulate or turn off traffic if needed.
• First, they have to understand how employees are accessing data (via internal, web interfaces, VPN, remote desktop or mobile app). Then put a BYOD policy in place – not one that is just written out for people to sign, but a policy in which employees are trained to understand the technological differences in how they access data. At a bare minimum, that policy should include MDM (mobile device management) which gives the company the ability to remotely wipe a device in the case of loss or theft.
• Next, your policy should absolutely mandate that any device that connects to or holds company data be encrypted at the disk level.
• Third on the list is an emerging group of technology called MAM (mobile application management) so that you can ensure people don't bring in a device with software designed to steal your data (either knowingly or not).
• Fourth, of course, is to enforce use of antivirus/antimalware software so that when a device connects to your network, it is scanned for having this type of software before it allows a full connection to your network. Lastly, require strong passwords and multilevel access control. Gone are the days of P@ssword1 and similar passwords. Passphrases like I l1k3 4urre k@tz should be implemented, and once a user leaves a specific folder location (say like your company financials) and attempts to access other data (say like human resources), yet another password (not the same) should be used. Seems like quite a bit, but single sign on passwords are what have gotten Target, Home Depot and many others in hot water.
• Apply password enforcement. Although it's quite unpopular, there really isn't anything better for service access than strong passwords that are changed from time to time.
• Use encyption on all levels. Your connections should be secured (HTTPS, VPN), your important documents should be encrypted and devices should have encrypted storage. Even mobiles offer this functionality now.
• Enforce good device security. By this I mean good passwords for access to devices (mobiles, notebooks, etc.), use of antimalware systems and following standard security practices like ensuring that your OS and critical applications are up-to-date.
• Be Proactive: The first answer is obvious - have a proactive BYOD strategy that informs employees on how they are to handle company data whether working from home, the office, the airport, or the beach. BYOD strategies can include everything from password requirements and device registering to what information may and may not be shared via mobile. This includes content. Your data is your company's greatest asset. Without a BYOD plan - you are at risk.
• Consider your ECM Options: With any ECM, tracking and workflow features ensure data is protected regardless of the device. Ensuring compliance becomes much easier when any time a file is accessed, edited or shared it is automatically tracked. There are security features to password protect any level of access to files, and the information is readily available to those who need it.

1. You need a specific agreement with your employees covering your BYOD policy --reimbursement stipends, data rentention/security/human resource policies (a bit of ink in the beginning saves a ton of pain in the ending).
2. A service/application that allows you to securely CONTAIN/SEPARATE business data from personal data so on demand wipe doesn't destroy baby pictures...several services offer this.
3. A specific IT policy/media plan for when a breach happens...because you will EVENTUALLY have a breach.

• Don't think you are too small to be hacked. In fact, a clear trend now is for smaller companies with lax IT security standards and numerous unmanaged permissions to become easy platforms for hackers to hide and wait to enter larger firms with whom the small ones do business. Small firms today are the low hanging fruit that cyber thieves are stalking as larger firms become more vigilant and harder to penetrate.
• Renew your dedication to the principle of least privilege. Immediately conduct an audit of permissions of access, and cut back. Over time, through the phenomenon of permission creep, too many people have access to information who should not. The big problem is awareness. My rule is know thy network, and people don't. On several projects, when we point out the dangers of too many permissions, we're told, 'well, nobody could do anything with that data,' and then we'll show them what could be done with that data using the privileges that they thought were safe.
• Beware vendor access. A vital component of the rule of least privilege is to thoroughly and regularly analyze what access you have allowed for your vendors. As increased use of extranets grows, know your vulnerability, and avoid opening the door to a vendor's access to vital company information without a thorough compliance audit. Obviously, your HVAC vendor should not have access directly to the same set of computers where you store your payroll data. Such routes through vendor sharepoints and extranets are favored by hackers.
• Consider your liability. If you are a third-party vendor managing information for one or more - or dozens - of clients, be aware of the civil liability of not having the proper controls and allowing unauthorized criminal access to your client's propriety data. While carelessness in this area has not reached the level of criminal negligence at this point, there are indications that governments are moving in that direction. If you unknowingly allow one of your machines to essentially become a bot working for paid hacker, you can be held liable for real and actual civil damages. At the least, you will lose perhaps hundreds or thousands of man hours and participating and supporting the criminal investigation into how it happened.
• Don't just check the boxes. If you manage data for a client, invest the time and money to achieve compliance in one or more of the nine most important information security levels you may need, depending on the type of client information housed. Those levels are compliance with the Health Information Portability and Accountability Act (HIPAA); SOC 1 and SOC 2, which are the AICPA Service Organization Control Reports; Penetration Tested Service Organization (PEN); Payment Card Industry Data Security Standard (PCI); ISO 27001; Standard Information Gathering (SIG); Federal Information Security Management Act (FISMA) and the Experian Independent Third Party Assessment (EI3PA). However, after you earn compliance, the real work begins. You can't just check the boxes and relax. Develop a culture dedicated to information security. Self-test is a continual thing. Any time there is any structural change to the network, a new server, a new gateway, a new firewall, especially if you bring in a new vendor, or host new client server, consider how these changes can impact overall security. Avoid complacency at every level.