Seven Steps to Reduce the Security Risks of BYOD

Seven Steps to Reduce the Security Risks of BYOD

Enterprise BYOD programs are becoming more sophisticated and mature as employee usage of mobile devices continues to rise exponentially. BYOD security risks are also of growing concern, according to one-third of IT professionals participating in The Cass 2015 BYOD & Mobility Study.

Those risks come in many forms, according to the Crowd Research Partners BYOD & Mobile Security 2016 Spotlight Report. It finds that:

  • 72% of respondents are concerned with data leakage and loss
  • 56% with unauthorized access to company data and systems
  • 52% with downloading unsafe apps or content by users
  • 52% with malware

Such concerns need to be addressed more fully than they have been so far by many businesses, especially as advanced persistent threats become more sophisticated and commonplace. “Mobile device security is lagging, despite acknowledgment that the BYOD trend increases APT risk,” according to ISACA’s 2015 Advanced Persistent Threat Awareness survey.

Eighty-nine percent of respondents to the survey believe that the BYOD trend, combined with owner or drive-by manipulation of Android or iOS devices (aka rooting or jailbreaking), makes a successful APT attack more likely.

BYOD Security Playbook

Experts have offered many recommendations for increasing the security of employee-owned mobile devices. First, make sure you have users register their devices to ensure they’re legit. Follow through with policies and training so that they understand appropriate usage of personally-owned smartphones and tablets for enterprise purposes.

All enterprises should craft their own BYOD policies by requiring that employees agree to use PINs, passwords or patterns for access, and to leverage native device-level encryption.

Security pros also advise that other BYOD protection efforts should include:

  • Mobile device management (MDM) software to oversee and administer what’s out there, including applying features such as remote wiping for lost or stolen devices
  • Containerization that lets corporate apps run in a protected and authenticated environment under corporate-configured security controls
  • Two-factor authentication in any of its varieties – token-, risk- or device-based, for instance – to further secure corporate apps and data
  • Virtual Desktop Infrastructure (VDI) for highly sensitive apps whereby enterprise apps and data live on a centralized server
  • Design corporate mobile apps to avoid local data storage or build web apps that avoid caching sensitive data

The Next Level

There can be challenges around implementing some of these capabilities, though. For instance, MDM and containerization solutions aren’t always as scalable as an organization needs nor are their features equally accessible across different mobile platforms. Hardware tokens like key chains or cards are prone to being lost.

That’s not a recommendation against taking as much advantage as possible of these protections. It is just advice to consider; complement these end-user and administrative security functions with more extensive network safety nets, such as:

  • Have multiple VRF and VSI environments on the same physical infrastructure to allow separate VLANs for traffic segregation and bifurcation – trusted versus semi-trusted versus untrusted traffic, for instance
This way, a BYOD iPhone can be contained on a VRF for user-owned devices, and any malware that may intrude upon it can be kept from infecting the most trusted environment that’s reserved for corporate-issued systems.
  • Traditional perimeter security approaches always will have their place, of course. But this isn’t sufficient for the BYOD model where mobile endpoints increasingly exist outside of direct corporate control.

Advanced Persistent Threats

What does help is being able to intelligently detect nefarious activity, like APTs that enter the corporate environment courtesy of user-owned smartphones and tablets. A good way to do it is by implementing network behavioral analysis and machine learning that monitors network activity and continuously adapts to changing threat conditions.

Whatever solutions your IT organization can put in place to better assure BYOD security, one thing is for sure: There’s no time to waste getting more done. Citing BYOD as a driver of innovation, as well as device and service cost savings, Gartner has predicted that by next year, half of all businesses will require workers to use a personal device for work.

Learn how Masergy’s Unified Enterprise Security can help your IT organization spot unwanted intrusion and anomalous network activity. And our managed firewall will help you control and monitor applications from mobile devices and perform web content filtering to identify malicious code. Read more about BYOD security trends and threats.

About David Venable

VP, Cybersecurity, Masergy
David Venable, Vice President of Cyber Security at Masergy Communications, has over 15 years experience in information security, with expertise in cryptography, network and application security, vulnerability assessments, penetration testing, and compliance. David is a former intelligence collector with the National Security Agency, with extensive experience in Computer Network Exploitation, Information Operations, and Digital Network Intelligence. He also served as adjunct faculty at the National Cryptologic School.