Risk
3/2/2012
02:49 PM
Connect Directly
RSS
E-Mail
50%
50%

4 BYOD Security Strategies For Small Business

Whether or not your company embraces the bring-your-own-device approach, don't ignore the data integrity and retention implications of all the personal smartphones and tablets showing up in the workplace.

10 iPad Annoyances, Solved
10 iPad Annoyances, Solved
(click image for larger view and for slideshow)
Your network might be hosting a BYOD (bring your own device) party even if you don't realize it. It doesn't matter whether your company actually allows employees to use their personal mobile devices for business purposes: Those smartphones and tablets are still inside the corporate walls.

"It's a wave that's not stopping," said Wayne Wong, managing consultant at Kroll Ontrack, in an interview. Kroll Ontrack specializes in data recovery, e-discovery, and other legal applications of technology. "Even if you attempt to put a policy out there that prohibits the use of personal devices, you'll see a lot of them every day, more and more."

That leads to one of the critical issues inherent in the BYOD approach, company-sanctioned or not: Mixing personal and corporate data willy-nilly. Small and midsize businesses (SMBs) sometimes face a more significant struggle on this front than large enterprises. "It's very hard for them to be more controlling [of data] like some of the larger organizations are able to achieve," Wong said.

[Smartphone owners, it's you versus bad guys and nosy apps. Protect yourself with 10 Steps To Smartphone Privacy.]

This can be a huge problem for firms that operate under regulatory restrictions. But even SMBs that aren't dealing with a heavy compliance burden could find themselves in a lawsuit or other situation where data integrity and retention become critical. Wong notes that SMBs can sometimes be overwhelmed by the data implications of a BYOD approach; they could just as easily ignore them altogether. Here are four interrelated strategies he recommends for harnessing the upside of BYOD while managing associated risks.

1. Technology Use Policy

Step one in ensuring a strong, manageable approach to data retention is to create a policy that outlines what is--and what isn't--acceptable for employees to do when it comes to personal mobile devices, applications, and other tech tools. "Policy or governance is the starting point that will then drive procedures and processes," Wong said. "Companies really need to make it clear to employees what is appropriate and what is not appropriate regarding the use of technologies such as Gmail or other personal e-mail accounts and social media, for example." That policy also needs to explicitly cover employee responsibilities for retaining and storing data. (See #3 for more on this.)

2. Employee Education

Assume the concept of data retention has never occurred to most of your staff--because it probably hasn't. "SMBs should organize periodic training so that employees can clearly understand the appropriate and inappropriate uses of their personal devices," Wong said. This training should cover things like social media usage, personally identifiable information, strong passwords, and privacy settings. Regarding the latter, Wong notes a common misconception among users: Confusing privacy with privilege. In the event of a lawsuit, an employee's social media data can be discoverable regardless of privacy settings--make sure employees understand that.

3. Data Segregation

Wong advises SMBs to make data segregation a fundamental practice--namely, keep corporate and personal data separate for retention purposes. This can save you a ton of headaches in the event of litigation, compliance-related audits, and so forth. The best way to enable this is to provision corporate storage space and make clear to employees the processes for backing up their data there--and for keeping their personal info out.

4. The Social Factor, Redux

Social media should be a critical part of the aforementioned education and training, but it gets an encore here because it flies in the face of #3. "One of the dangers of social media is that it does not allow a segregation of your professional life and your private life," Wong said. A simple example: The second someone lists their employer--and all of their previous employers, to boot--on Facebook, that line instantly vanishes. "When people post things--whether pictures, opinions, comments--all of that now is exposed to scrutiny, regardless of the impression that Facebook gives you that you have privacy settings," Wong said. He added that the legal system is increasingly inclined to consider social media information discoverable in lawsuits; user privacy settings are irrelevant.

The social business boom also points to an underlying issue that Wong thinks employees often don't recognize when they bring personal technology into their jobs. Caveat emptor, modern worker: "I don't think people understand that, when they ask to use a personal device and get blessed, they've agreed to the fact that now anything they do on that personal device can be argued to be company property," Wong said.

To protect company and customer data, we need to determine what makes it so vulnerable and appealing. We also need to understand how hackers operate, and what tools and processes they rely on. In our How (And Why) Attackers Choose Their Targets report, we explain how to ensure the best defense by thinking like an attacker and identifying the weakest link in your own corporate data chain. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tonys3kur3
50%
50%
tonys3kur3,
User Rank: Apprentice
4/20/2012 | 6:40:45 PM
re: 4 BYOD Security Strategies For Small Business
BYOD has a number of benefits for the company and the end-user, but it has issues as well. Companies need to be conscious of safeguarding internal resources from compromised BYOD devices, and protecting proprietary data on those devices as well. I like the information in this article about how to embrace mobility and BYOD without compromising on security. http://www.pcworld.com/article...
Brian Shea
50%
50%
Brian Shea,
User Rank: Apprentice
3/5/2012 | 11:48:32 AM
re: 4 BYOD Security Strategies For Small Business
Arthur, the concept of a dual persona is tough for some people to grasp. Even when explained to them the importance of separating work and personal, it is like explaining percentages or fractions to them.

How many people do you know use their work email for everything? All those dumb jokes, forwarding photos, and dating messages...
Or the small businesses that even have a web address for their business, but still use their AOL account for email?

You are correct though, that companies should 'force' the dual personas, perhaps by telling everyone that everything used the business address is property of the business, and subject to review. Then a month later, actually review some personal emails with them. :) Watch how quickly the personal stuff leaves the work email.
artr
50%
50%
artr,
User Rank: Apprentice
3/4/2012 | 2:47:13 AM
re: 4 BYOD Security Strategies For Small Business
I am surprised that this post did not mention the use of "dual persona" mobile clients that will keep personal and business contacts completely separated on smartphone/tablet devices. The "dual persona" approach is what will enable practical BYOD policies to be established without all the "training" that is suggested.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0103
Published: 2014-07-29
WebAccess in Zarafa before 7.1.10 and WebApp before 1.6 stores credentials in cleartext, which allows local Apache users to obtain sensitive information by reading the PHP session files.

CVE-2014-0475
Published: 2014-07-29
Multiple directory traversal vulnerabilities in GNU C Library (aka glibc or libc6) before 2.20 allow context-dependent attackers to bypass ForceCommand restrictions and possibly have other unspecified impact via a .. (dot dot) in a (1) LC_*, (2) LANG, or other locale environment variable.

CVE-2014-0889
Published: 2014-07-29
Multiple cross-site scripting (XSS) vulnerabilities in IBM Atlas Suite (aka Atlas Policy Suite), as used in Atlas eDiscovery Process Management through 6.0.3, Disposal and Governance Management for IT through 6.0.3, and Global Retention Policy and Schedule Management through 6.0.3, allow remote atta...

CVE-2014-2226
Published: 2014-07-29
Ubiquiti UniFi Controller before 3.2.1 logs the administrative password hash in syslog messages, which allows man-in-the-middle attackers to obtains sensitive information via unspecified vectors.

CVE-2014-3020
Published: 2014-07-29
install.sh in the Embedded WebSphere Application Server (eWAS) 7.0 before FP33 in IBM Tivoli Integrated Portal (TIP) 2.1 and 2.2 sets world-writable permissions for the installRoot directory tree, which allows local users to gain privileges via a Trojan horse program.

Best of the Web
Dark Reading Radio