The BYOD Security CommandmentsNovember 5, 2012 No Comments
SOURCE: Technology Spectator
If the acceptance of the bring your own device (BYOD) trend in Australia could be transposed into the five stages of grief, we’d be at the bargaining stage. That’s how enterprise software outfit NetIQ’s APAC product and business manager for identity, security & governance, Ian Yip describes the current situation.
Yip says that enterprises have moved beyond being angry towards the trend. They are now just getting over denying its existence and IT admin are starting to bargain with staff around the use of their own devices in the workplace.
If the analogy holds true, then the IT department is set to get depressed about staff doing more with their own devices than what was negotiated, before they finally accept the trend and stop trying to restrict its growth and work around it.
All in all, Yip’s analogy is just one of many predictions for a trend that continues to dominate the discussion in many a boardroom. Everyone in the ICT space has a prediction on where BYOD is headed and how it will affect productivity and workplace cyber-security.
On that note, analyst firm IDC recently released a report outlining their top predictions and tips for tackling cyber security and BYOD.
The BYOD trend will make cyber security more complex
Of the tips put forward by IDC, the first one is perhaps the most obvious and perhaps the reasons why the BYOD trend has caused so many headaches.
“The consensus is that BYOD is now a given. Whether you want it or not, employees will do your work on their own devices,” says Infosec commentator Stilgherrian.
“So your choice is whether to have a policy that acknowledges that and lays out the ground rules, or try to ban it and end up with an infestation of unknown and uncontrolled devices.”
However, as many enterprises are currently finding out, controlling and securing data on multiple devices is a lot easier said than done.
The current situation raises questions as to how much control your workplace has over your device. If you lose your smartphone, should your work be able to wipe its memory? What if you quit your job?
While there are solutions available to manage data on devices, there’s still much debate as to how much control a company should have over an employee’s device.
Understand the value of different security systems.
There are a multitude of disparate elements that keep a company’s overall cyber security ticking along, and some require more attention than others. If companies can get a grasp of all these elements then they can work out which ones require outsourcing to cyber-security specialists and which ones just need to be set-up themselves.
Take the firewall for instance. It’s no doubt a crucial cyber security tool for any network, but it doesn’t take a cyber-security pro to select one or implement it.
As NetIQ’s Yip puts it: “it doesn’t matter which firewall I pick, it’s just a firewall”.
However, Yip adds that there are some tools that really should be left to the professionals; identify management systems, access management systems and security information and event management systems to name a few.
Know exactly what data needs protecting
Not all data needs to be held behind a mountain of cyber security. According to Yip, the most effective cyber security solutions prioritise data depending on its value.
For instance, for the sake of a company’s reputation it’s important for them to keep customer data under lock and key, whereas information that’s already on the web doesn’t really need any protection.
Yip adds that in identifying this data companies need to note “know where it is” in their system and “know how people can access it”. This point is particularly important given how the BYOD trend will see multiple devices able to access this data.
Realise that humans are the weakest link in the security chain
Nothing causes security experts more consternations than managing the human factor; because no matter how tight you make a network’s security, a cyber-criminal can always exploit an unsuspecting user to launch a raid.
“Humans are always the weakest link,” Stilgherrian says. He adds that even some of the most obvious attempts at cracking a user’s computer are becoming increasingly sophisticated.
“Spear phishing attacks are getting pretty tricky, with the attacker’s emails tailored to target specific organisations or even specific individuals. It makes it pretty tough for employees to spot it as an attack.”
Yip adds that there is a tendency from user to try and work around cyber security rather than adhere to it.
“Security is the enemy of useability”, he says.
Yip adds that it’s the “human nature” of everyday users to try and circumvent or take down cyber security wherever possible.
“You can’t control someone’s behaviour” Yip says.
But you can try to alter it. Both experts recommended cyber security training as a means of enhancing overall cyber security. It may become crucial given the way the BYOD may put company’s systems at risk through user’s typically being sloppy with cyber security of their own device.
“Information security needs to become part of the organisation’s culture. That means continual education and reinforcement, both carrot and stick,” Stilgherrian says.
Shred your data… if it’s possible
Consider this. If you had to destroy a document so that nobody would be able to read it, you would shred it. While the same principal applies for computers and data, few pound their machines to dust when it’s time to get rid of them.
Yip says that companies are not really aware of this point as they should be. He adds that not disposing data properly – through a through wipe of the hard-drive or through destruction – makes company’s data susceptible falling into the wrong hands.
For those who are not fond of crushing computers or wasting time wiping them, Stilgherrian advises they invest in whole-disk encryption for their devices, saying that these days any company that refuses to do so is “negligent”.
Remember the basics
All in all, the tips around BYOD security are quite similar to those already existing in the enterprise space. Yip contends that this is a key point that companies need to realise when planning a BYOD security systems.
“You can’t deal with BYOD by dealing with BYOD,” he says.
It’s all about understanding the cyber-security fundamentals rather than adapting to separate trends, says Yip.
“If you have these pillars in place, you’re more agile to deal with the changes in enterprise IT.”SECURITY