Mobile Security Experts on BYOD
Veracode Marketing recently polled a list of mobile security experts, asking them “What can employees do to minimize risk when bringing their own devices to work?” We’re pleased to present the responses from a wide array of security experts including David Schwartzberg from Sophos, Kevin Flynn from Fortinet and Veracode’s own, Chris Wysopal. While all our experts have their unique perspectives, some common themes arose including changing employees’ view of security. We want to thank all our respondents for participating and we welcome your thoughts too – use our comment area and tell us, “What can employees do to minimize risk when bringing their own devices to work?”
What can employees do to minimize risk when bringing their own devices to work?
Even with the move to BYOD, information security is still a core IT responsibility. In other words, regardless of who owns the device, IT and Info Sec are still responsible for protecting the data on that device. Fortunately we have a growing arsenal of tools to help with that from the mobile device management companies like Sybase, MobileIron, Airwatch, Good Technologies, and the like.
While those solutions give IT the ability to enforce security policies like requiring strong passwords and file encryption, users are always the weak link in the security chain. Mobile devices are all about convenience, and unfortunately, security introduces some degree of inconvenience. It’s long been known that if we make security too inconvenient, users will resort to the most insecure solutions to avoid it.
The two keys to success are management support and good communications with users. C-level execs are often the worst security offenders, but if you can plant the seed that we now have hundreds or thousands of potential security exposures traveling around in people’s pockets or purses, hopefully you can get them to pay attention. Clearly, that’s a lot easier to accomplish in regulated industries like health care and finance, but every company has information it needs to keep secure.
Security awareness must be part of employee orientation, and we need to explain why even seemingly innocuous information like a salesperson’s calendar could hold a treasure trove of useful information for a competitor. People are far more willing to cooperate if we tell them why it’s important.
However, this can’t simply be a one-shot deal. Security requires an ongoing program of security awareness to create a “culture of security”. I know of one organization that puts tent cards with little security “tips” on the tables in the cafeteria and changes them once a week. To build that ongoing awareness, you have to think like an “advertiser” and what you’re “selling” is a secure organization.
BYOD is here to stay (at least in the near term), so IT and Info Sec specialists need to think creatively to truly protect all that sensitive information that’s traveling around on smartphones and tablets. We’re dealing with a whole different type of “perimeter” now, so we need to focus on protecting “data” rather than protecting “devices”.
This BYOD movement reminds me of when I was in high school. There was a sign in the study hall which read, “Success is 13% Aptitude and 87% Attitude.” I don’t know where they got that ratio from, but in this context, the exact percentages don’t matter. The point is that with a little bit of smarts and a whole lot more positive thinking, you’ll wind up where you need to be.
Most employees on a network don’t have the security aptitude to make the right choices when it comes to risk minimization with their own devices. They tend to choose first what’s free, then software with the most Consumerization of IT features and then whatever’s available on the sales rack at their local tech store. Generally speaking, their attitude is that risk minimization is the responsibility of the experts at their company. They will do the minimum required to prevent risk and protect data. Security gets in their way. Not a very good attitude.
Employees need to work with their security departments to get better educated on their organizations’ best practices for protection. Protection isn’t fool proof, so they also need to know who to call and how quickly to react when an incident occurs. Employees need to change their mindset to embrace that bringing your device to work also means that you need to take ownership of minimizing risk and protecting data.
Company leadership are generally early adopters of new technology that is brought to work. While that’s great for being productive (if they work), those devices are also higher risk. They are most targeted 1) for their street value and 2) because corporate executives tend to have the most interesting information stored on their devices. If you are a member of your company’s leadership, you need to comply with company BYOD protection rules just as much as your subordinates need to. No exceptions.
Some additional tips on how employees can protect themselves when they bring their own devices to work.
- Get insurance to protect the replacement cost of your high value asset or for yourself from employers redirecting liability. This is especially true if you handle large quantities of government-regulated or PCI DSS data on your device.
- Your organization’s BYOD decision provides you with the privilege to bring your own device, but they also have the right to revoke the program. If you don’t agree, change your attitude.
- Work with your IT departments and InfoSec officers to keep your device patched, AV up to date and data protected. You only need to know if your device is current and how to get current, not all the details of what it means to be current.
- Learn to work with security tools rather than around them. This is especially true with encryption. Just because the technology sounds complex, using it shouldn’t be.
- Educate yourself by reading security blogs and listening to podcasts so you are aware of the latest threats. Bringing your own device also means accepting working beyond your scheduled business hours.
Devices aren’t the main problem in a BYOD strategy: employees are. That’s why BYOD is not just a technical issue that can be left to an organization’s IT department. It needs a holistic approach that includes HR, data security and legal stakeholders. Sensible organizations adopting a BYOD strategy will have put in place a strategy that includes policies and guidelines, as well as technical constraints and parameters. The main thing that employees can do to minimize risk, therefore, is simply to comply with the policy approaches that their employers have – presumably for carefully thought-through reasons – put in place. If an organization concludes that, for compliance and liability reasons, it wants to use a particular file sharing platform instead of, say, Dropbox, employees should comply with that restriction instead of simply applying their own workaround and using Dropbox because their own clients use it, it’s more convenient and they think that it’s great.
It doesn’t help that many of the “approved” platforms to enable BYOD are less sexy and functionally flexible than “unapproved” ones – which encourages employees to go off-piste and use their own workarounds. So I think that the best thing an employee can do to minimize BYOD risk is to comply with whatever policies and technical parameters are in place and not take a BYOD policy as a licensed free-for-all. Pay attention to the forms, declaration or pop-up screens that warn of the scope of your organization’s BYOD program and how security applies to it.
And one final thing: just be sensible. There was a reported case over here in the UK just last month of a someone who showed his young son how online spread betting worked and then left his laptop around unsecured. You’d be surprised how short a time it takes for a 5 year old to run up £50,000 in losses! You can’t blame the device or the policy if someone willfully or recklessly ignores the rules.
The first thing employers need to do is to create and maintain an “authorized BYOD device list”. Employees wishing to bring new devices should submit a request for addition to this list. It should also be ensured that a remote wipe facility exists and is enabled, especially if company confidential information will be stored on the device.
Here are a few other things we encourage customers and our employees to practice:
- Ask employees to disable MiFi access to prevent other office workers from using a co-workers phone as a back-door Internet gateway.
- Make sure all employee devices have an auto-lock feature and that it’s enabled. Also, educate against “1111″ or “1234″ as the unlock code.
- Remind the employee that while their phone or tablet is at the office, it’s subject to inspect just like any other corporate device.
- If you’re like most everyone else, your kids will often play games and make use of your phone, ask employees to educate their children on safe browsing and reiterate that “this is mommy/daddy’s work phone, be careful!”
- Always try to use a secure connection ‘https://’ to favorite sites.
- Setup the browser to clear the cache upon closing the web browsers.
- Regarding strange emails, tell employees “Don’t click on that, this is not your lucky day!”
- Remote BYOD access should be treated in some ways the same as remote laptop access. For example, Cisco offers AnyConnect a Security Mobility Client for BYOD remote access.
- Use stronger one time password authentication when possible.
Kevin Flynn, Senior Manager, Products, Fortinet
Relying on employees to deal with security issues is like putting teenagers in driver’s ed classes. It may help make them better drivers but it doesn’t make them good drivers.
Nonetheless, just like teenagers can use driving tips, employees can use tips on how to minimize risks when bringing their personal devices to work.
First off, no jailbreaking! There’s just too much that can go wrong when someone tries to open up the OS on their smartphone.
Second, the age-old recommendation to back up data applies to tablets and smartphones as well. The complicating factor is that you might not want them to back up their business data via their personal back up methods. Backing up their work emails and documents should be done on the business network and nowhere else.
As for applications, it’s better to be safe than sorry. Android by default blocks users from installing apps that aren’t in the Android Market. And, while there are other legitimate places to get Android apps (such as the Amazon Appstore), do you really want users to enable “Unknown Sources?” This is less of an issue for iOS devices, but nonetheless, remind users to be careful what they download. Another hint is for them to check the settings of EVERY application they download. Apps have a funny way of sending private information to the net.
Now, with all these things said, good security really begins on the network. The move to personal devices at the office is a continuation of a trend that started back in the 1980′s when accountants began buying Personal Computers to run Lotus 1-2-3. Since that time, organizations have turned to network security to protect themselves. Since the network handles all the traffic (no matter what the user is doing while at work), the network is the best place to secure that traffic, log it and report on it.
An employee bringing their own devices to work is not a new concept; the problem in today’s world is that they want to connect the devices to corporate networks. Some may want to access wireless networks so that they can bypass web filters, other want to use their device to access business applications and data. Whatever reasons the employee gives for bringing a device to work they should follow these basic tips to minimize the risk they present:
- Firstly inform the information services department that you want to connect your device to the corporate network. They may have some guidelines that you need to follow. Many networks will have systems that detect mobile devices so it’s better to inform them directly.
- Do not use the device as a storage system for work data. If the device falls into the wrong hands this data can be accessed.
- Stop using passwords and start using passphrases. Keyboards on mobile devices can be cumbersome but this is not an excuse for using short and easy to guess passwords.
- Do not jailbreak or root the device. If the device has been tampered with then a full factory restore is recommended. Most security problems that I have come across were associated with jail broken devices. It also introduces a new risk as applications can gain root access and you may end up exposing your personal data.
- Avoid installing unnecessary apps. The more apps that are installed the greater the attack vector. Many malware infected apps exist in the mobile market places.
- Don’t be reliant on technologies like face unlock. A lot of these features are new and untested in the real world.
Employees need training before using their own devices. Risk profiles change dramatically as soon as any company allows any form of external device connectivity – whether via 3G, 4G or WiFi. Employees need to understand and share the risk with their employers and this needs careful planning.
In its simplest form, companies should consider using dedicated ‘sandboxed’ applications to allow access to information under the control of proper authentication, encryption, and access control frameworks. Ideally, these dedicated applications should automatically enforce security and privacy controls, while providing management tools to enable or disable services remotely.
Employees should always lock their devices – and employ a second, different passcode to work-related applications. In this way, the device and its data have a basic level of protection.
Also, every employee should read and understand the company policy on device usage – mobile devices deserve their own category in all policies – and these require regular review. Technology changes rapidly in the “bring your own device” (BYOD) environment, and policies need to reflect changes in technology, platforms and services. Employees, therefore, need to keep themselves up to date with new policies and raise any concerns with appropriately qualified technical managers.
Employees also need to consider questions such as legal use and liability for use. After all, an employer has permitted an employee to use a personal device. The company has no right of access to personal possessions, therefore, can the employer demand a full audit of a device and all its data? If so, what controls does the company have in place to protect any personal information from abuse? Another reason for implementing sandboxed dedicated applications – the company can then control its own sandbox, without needing to inspect the device as a whole. Remote wipe becomes a particular risk in a non-sandboxed environment – the company may need to wipe its data, but leave the employee’s data and applications intact.
Mobile devices also require regular software updates to remain current. Employees need to check with employers prior to updating devices with the latest operating systems or services. Upgrades may break legacy services and applications then require updates as appropriate. Employees need to consider the liability issues of introducing a problem by simply upgrading a device in line with the manufacturer’s recommendations.
Fundamentally, device owners need to assume that others will have access to their devices. Or that work will sometimes come in at a less than opportune moment (in the middle of a party, or during the night) or while the employee travels. In these circumstances, profiles and policies should reflect working hour directives, and consider the implications of an employee having 24 hour communication with the company. In many countries, directors have a legal obligation to protect the well being of their employees and should promote or enforce sensible working hour directives.
Employees may also want to consider what happens when things go wrong: what happens if broadband or mobile data services fail? Who pays for excessive data consumption or international roaming charges? How do you back up, restore, lock or remove data from devices – and prevent its loss? Does the company provide adequate controls over encryption policies (so that an employee could move between countries where encryption laws differ, without risk of imprisonment, for example)? Who insures what – and who pays for the insurance (does your domestic insurance cover your equipment for business use, for example)?
Proper policies and training resolve many of these issues. This topic really covers managing risk – in a shared environment. Employers and employees need to take responsibility for their own tools and provide adequate assurances (through regular audits) that the chosen device, any applications, data, and the associated management processes all operate correctly.
I’ve already accepted the fact that Bring-Your-Own-Device (BYOD) is a business trend that’s here to stay. According to “BYOD or Bust: Survey Results Report” by Software Advice, Inc. I recently read, just 23 percent of enterprise employees use company-sanctioned mobile devices only – meaning 77 percent of employees are using their own devices in some capacity to do their job. As the Chief Information Security Officer at Veracode I have experienced this trend firsthand and if it hasn’t hit you yet, the BYOD tidal wave is coming your way!
Formulating a BYOD policy is only one side of the equation – employee education is the other. Most business users simply aren’t aware of the security threats facing them when they use their favorite mobile device at work. We need to increase that threat awareness level and ultimately convert employees into willing participants in a secure mobile computing or BYOD program.
Here are ten tips to help device users protect personal information as well as their company’s data, IP and brand when they use their mobile devices at work.
- Use password protected access controls.
- Control wireless network and service connectivity.
- Control application access and permissions.
- Keep your OS and firmware current.
- Back up your data.
- Wipe data automatically if lost or stolen.
- Never store personal financial data on your device.
- Beware of free apps.
- Try mobile antivirus software or scanning tools.
- Use MDM software if recommended by IT.
Guest Contributor Biographies
Michael Finneran is principal at dBrn Associates, a full service advisory firm specializing in wireless and mobility; services include research, policy development, purchase analysis, and security/technology assessment. Mr. Finneran has worked in the networking field for over 30-years and has operated the practice since 1982. He has published numerous research reports, white papers, and has provided technical and market analysis on the full range of wireless technologies including Wi-Fi, cellular, WiMAX, fixed-mobile convergence, and mobile unified communications (mUC).
A lively and informative speaker, Michael has made frequent appearances at trade shows and conferences including Enterprise Connect (formerly VoiceCon), InterOp, BlackBerry World, and Mobile Explosion; he now serves as the program chairman for wireless and mobility at Enterprise Connect. In the consulting area, he has provided assistance regarding network design, market assessment, and strategic planning to wireline and wireless carriers, equipment vendors, end users, investment firms, and a number of government agencies.
For twenty-three years Michael wrote the Networking Intelligence column for “Business Communications Review”, and he now contributes on wireless and mobility to NoJitter, UC Strategies.com, Information Week, and The Voice Report. A number of his white papers are available on Webtorials.com, and he has contributed to Computerworld, SearchMobile.com, and The ACUTA Journal. In 2008 he published his first book Voice Over Wireless LANs- The Complete Guide.
Well respected as an educator, Michael has conducted over 2500 training seminars on networking topics in the US, Europe, Africa, and Asia. He taught in the Graduate Telecommunications program at Pace University, and conducted programs at the Center for the Study of Data Processing at Washington University in St. Louis.
A member of the Society of Telecommunications Consultants, Mr. Finneran holds a Masters Degree from the J. L. Kellogg Graduate School of Management at Northwestern University.
David Schwartzberg is a Senior Security Engineer at Sophos, a security company where he specializes in data protection. Utilizing his 6 years accounting experience and 17 years Information Technology experience, he speaks regularly with technology executives and professionals to help protect their corporate secrets and stay compliant. David earned a black belt in Taekwondo and is an amateur competitor.
Alistair Maughan is a partner based in the London office of international law firm Morrison & Foerster, and co-head of its global Technology Transactions Group. His work focuses on outsourcing and technology-based projects for clients as diverse as Her Majesty’s Revenue & Customs, Lloyds Banking Group, Investec, Old Mutual Group, Sun Life of Canada and Intel. He is a highly-regarded commercial lawyer with recommendations in the top bands of rankings in the leading independent guides to the legal profession. Alistair has a law degree from Leicester University and qualified as a solicitor in 1987. He has practised law on both sides of the Atlantic and is also admitted to the New York Bar.
Michael is the product manager for Scrutinizer NetFlow and sFlow Analyzer as well as Flow Analytics. Prior to starting Somix and Plixer, Mike worked in technical support at Cabletron Systems, acquired his Novell CNE and then moved to the training department for a few years. While in training he finished his Masters in Computer Information Systems from Southern New Hampshire University and then left technical training to pursue a new skill set in Professional Services. In 1998 he left the ‘Tron’ to start Somix.
Michael is a guest blogger for: Plixer, TMCnet.com, BradReese.com and Enterasys.com.
Kevin Flynn, Senior Manager, Products, Fortinet
Kevin Flynn is Senior Manager, Products at Fortinet, one of the world’s largest network security companies, where he has worldwide responsibilities for a range of Fortinet products. He has over 15 years experience in the security industry, holding security marketing and product management positions at Fortinet and Cisco. Kevin also worked at Apple for 8 years where he held positions in marketing research and product management. Flynn is a frequent speaker on the topic of evolving threats and advanced security technologies at conferences and seminars worldwide.
Darragh Delaney is head of technical services at NetFort. As Director of Technical Services and Customer Support, he interacts on a daily basis with NetFort customers and is responsible for the delivery of a high quality technical and customer support service.
Darragh has extensive experience in the IT industry, having previously worked for O2 and Tyco. His User and Network Forensics blog for Computer World focuses his experiences of network management and IT security in the real world. In his current role Darragh is regularly on site with network administrators and managers and this blog is a window into the real world of keeping networks running and data assets secure. He shares network security and management best practices on the NetFort blog.
Mike has extensive experience and a high profile in the mobile and Internet communications industry, with a proven track record for innovation and delivery of numerous patented technologies relating to consumer protection, security and mobile data systems. Mike currently sits on a number of Government Advisory Panels and presents at international security conferences.
Within the industry, organic growth and rapid technological change has introduced challenges for technology developers and consumers alike. Mike Hawkes is committed to ensuring that mobile data users have access to robust systems that support clearly defined services and promote secure mobile commerce.
As Chairman of the Mobile Data Association, Mike contributes to press articles and conferences relating to mobile data strategies. He has co-authored two books, and is a seasoned broadcaster having produced and presented numerous television/radio programs.
Mike’s privately funded Research and Development company, MH Invent Limited, provides IP sales/licensing services for his technology patents and applications.
Chris Wysopal, Co-Founder, CTO & Chief Information Security Officer, Veracode, @weldpond
Chris Wysopal is responsible for the security analysis capabilities of Veracode technology. Mr. Wysopal is recognized as an expert and a well known speaker in the information security field and was recently named one of InfoWorld’s Top 25 CTO’s and one of the 100 most influential people in IT by the editorial staffs of eWeek, CIO Insight and Baseline Magazine. Chris has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. He also has spoken as the keynote at West Point, to the Defense Information Systems Agency (DISA) and before the International Financial Futures and Options Exchange in London. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work.