Risk
3/2/2012
02:49 PM
50%
50%

4 BYOD Security Strategies For Small Business

Whether or not your company embraces the bring-your-own-device approach, don't ignore the data integrity and retention implications of all the personal smartphones and tablets showing up in the workplace.

10 iPad Annoyances, Solved
10 iPad Annoyances, Solved
(click image for larger view and for slideshow)
Your network might be hosting a BYOD (bring your own device) party even if you don't realize it. It doesn't matter whether your company actually allows employees to use their personal mobile devices for business purposes: Those smartphones and tablets are still inside the corporate walls.

"It's a wave that's not stopping," said Wayne Wong, managing consultant at Kroll Ontrack, in an interview. Kroll Ontrack specializes in data recovery, e-discovery, and other legal applications of technology. "Even if you attempt to put a policy out there that prohibits the use of personal devices, you'll see a lot of them every day, more and more."

That leads to one of the critical issues inherent in the BYOD approach, company-sanctioned or not: Mixing personal and corporate data willy-nilly. Small and midsize businesses (SMBs) sometimes face a more significant struggle on this front than large enterprises. "It's very hard for them to be more controlling [of data] like some of the larger organizations are able to achieve," Wong said.

[Smartphone owners, it's you versus bad guys and nosy apps. Protect yourself with 10 Steps To Smartphone Privacy.]

This can be a huge problem for firms that operate under regulatory restrictions. But even SMBs that aren't dealing with a heavy compliance burden could find themselves in a lawsuit or other situation where data integrity and retention become critical. Wong notes that SMBs can sometimes be overwhelmed by the data implications of a BYOD approach; they could just as easily ignore them altogether. Here are four interrelated strategies he recommends for harnessing the upside of BYOD while managing associated risks.

1. Technology Use Policy

Step one in ensuring a strong, manageable approach to data retention is to create a policy that outlines what is--and what isn't--acceptable for employees to do when it comes to personal mobile devices, applications, and other tech tools. "Policy or governance is the starting point that will then drive procedures and processes," Wong said. "Companies really need to make it clear to employees what is appropriate and what is not appropriate regarding the use of technologies such as Gmail or other personal e-mail accounts and social media, for example." That policy also needs to explicitly cover employee responsibilities for retaining and storing data. (See #3 for more on this.)

2. Employee Education

Assume the concept of data retention has never occurred to most of your staff--because it probably hasn't. "SMBs should organize periodic training so that employees can clearly understand the appropriate and inappropriate uses of their personal devices," Wong said. This training should cover things like social media usage, personally identifiable information, strong passwords, and privacy settings. Regarding the latter, Wong notes a common misconception among users: Confusing privacy with privilege. In the event of a lawsuit, an employee's social media data can be discoverable regardless of privacy settings--make sure employees understand that.

3. Data Segregation

Wong advises SMBs to make data segregation a fundamental practice--namely, keep corporate and personal data separate for retention purposes. This can save you a ton of headaches in the event of litigation, compliance-related audits, and so forth. The best way to enable this is to provision corporate storage space and make clear to employees the processes for backing up their data there--and for keeping their personal info out.

4. The Social Factor, Redux

Social media should be a critical part of the aforementioned education and training, but it gets an encore here because it flies in the face of #3. "One of the dangers of social media is that it does not allow a segregation of your professional life and your private life," Wong said. A simple example: The second someone lists their employer--and all of their previous employers, to boot--on Facebook, that line instantly vanishes. "When people post things--whether pictures, opinions, comments--all of that now is exposed to scrutiny, regardless of the impression that Facebook gives you that you have privacy settings," Wong said. He added that the legal system is increasingly inclined to consider social media information discoverable in lawsuits; user privacy settings are irrelevant.

The social business boom also points to an underlying issue that Wong thinks employees often don't recognize when they bring personal technology into their jobs. Caveat emptor, modern worker: "I don't think people understand that, when they ask to use a personal device and get blessed, they've agreed to the fact that now anything they do on that personal device can be argued to be company property," Wong said.

To protect company and customer data, we need to determine what makes it so vulnerable and appealing. We also need to understand how hackers operate, and what tools and processes they rely on. In our How (And Why) Attackers Choose Their Targets report, we explain how to ensure the best defense by thinking like an attacker and identifying the weakest link in your own corporate data chain. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tonys3kur3
50%
50%
tonys3kur3,
User Rank: Apprentice
4/20/2012 | 6:40:45 PM
re: 4 BYOD Security Strategies For Small Business
BYOD has a number of benefits for the company and the end-user, but it has issues as well. Companies need to be conscious of safeguarding internal resources from compromised BYOD devices, and protecting proprietary data on those devices as well. I like the information in this article about how to embrace mobility and BYOD without compromising on security. http://www.pcworld.com/article...
Brian Shea
50%
50%
Brian Shea,
User Rank: Apprentice
3/5/2012 | 11:48:32 AM
re: 4 BYOD Security Strategies For Small Business
Arthur, the concept of a dual persona is tough for some people to grasp. Even when explained to them the importance of separating work and personal, it is like explaining percentages or fractions to them.

How many people do you know use their work email for everything? All those dumb jokes, forwarding photos, and dating messages...
Or the small businesses that even have a web address for their business, but still use their AOL account for email?

You are correct though, that companies should 'force' the dual personas, perhaps by telling everyone that everything used the business address is property of the business, and subject to review. Then a month later, actually review some personal emails with them. :) Watch how quickly the personal stuff leaves the work email.
artr
50%
50%
artr,
User Rank: Apprentice
3/4/2012 | 2:47:13 AM
re: 4 BYOD Security Strategies For Small Business
I am surprised that this post did not mention the use of "dual persona" mobile clients that will keep personal and business contacts completely separated on smartphone/tablet devices. The "dual persona" approach is what will enable practical BYOD policies to be established without all the "training" that is suggested.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7178
Published: 2014-11-28
Enalean Tuleap before 7.5.99.6 allows remote attackers to execute arbitrary commands via the User-Agent header, which is provided to the passthru PHP function.

CVE-2014-7850
Published: 2014-11-28
Cross-site scripting (XSS) vulnerability in the Web UI in FreeIPA 4.x before 4.1.2 allows remote attackers to inject arbitrary web script or HTML via vectors related to breadcrumb navigation.

CVE-2014-8423
Published: 2014-11-28
Unspecified vulnerability in the management portal in ARRIS VAP2500 before FW08.41 allows remote attackers to execute arbitrary commands via unknown vectors.

CVE-2014-8424
Published: 2014-11-28
ARRIS VAP2500 before FW08.41 does not properly validate passwords, which allows remote attackers to bypass authentication.

CVE-2014-8425
Published: 2014-11-28
The management portal in ARRIS VAP2500 before FW08.41 allows remote attackers to obtain credentials by reading the configuration files.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?