BYOD: Filling The Holes In Your Security Policy

Allowing personal mobile devices at work can create new risks for your enterprise. Is your security policy ready?
Sidebar: Five Tips For Better BYOD Security

Letting employees bring their own devices onto the company network doesn't have to be complicated, says Kevin Mahaffey, CTO and a co-founder of Lookout Mobile Security, which makes security software for mobile devices. He suggests five simple steps for an effective BYOD security program.

1. Have sensible, but not restrictive, policies. Emphasize user education about the threats posed by lost, stolen, and infected mobile devices and enforce reasonable policies such as requiring a PIN code to get physical access to a mobile device used on the company network.

2. Implement remote lock, wipe, and locate features on company- and employee-owned devices. There are any number of mobile device management packages that offer these kind of remote features, and device location and remote wipe come standard with newer versions of Apple's iOS software.

3. Install anti-malware protection. It's still early days for mobile malware, but the trend lines point sharply up and to the right. Better to be safe than sorry: Install mobile anti-malware now.

4. Road warriors should use VPNs for everything when connecting to company assets from mobile devices, especially when connecting over public Wi-Fi.

5. Focus on authentication and identity. Strong passwords aren't enough, especially when keylogging malware and man-in-the-middle attacks may be present. Multifactor authentication or federated identity should be used to access high-value services on the company network. --Paul Roberts

Sidebar: Mobile Device Security On The Road

HD Moore invented the Metasploit testing platform and is CTO at the security firm Rapid7. He's also notoriously paranoid about getting hacked--quite fitting for someone who makes a living poking holes in others' defenses. Moore has several practical tips for business travelers:

1. Beware of Wi-Fi. Moore recommends turning off Wi-Fi on your phone, tablet, and laptop. If you have to use the hotel or other Wi-Fi, be aware that you're at risk the second you connect, he says. There's a "window of opportunity between when you authenticate to the captive portal and when you bring up the VPN that leaves your traffic at the mercy of anyone with a netbook and a shell script."

2. Turn off Bluetooth. Nearly all Bluetooth headsets are insecure and can be used to listen in on private conversations. Bluetooth services on laptops can expose security weaknesses and even your file system.

3. Connect to your corporate VPN as soon as you can if you have to use an untrusted network. This puts your traffic in "full tunnel" mode, making it difficult for hackers to sniff or use man-in-the-middle tactics from the local network. If the VPN connection drops, close out Outlook and any sensitive applications until the connection is re-established.

4. Keep a close eye on your equipment. Never leave laptops, bags, or notebooks with sensitive information out of your sight.

5. Don't share files with strangers using USB keys. You have no idea what they are giving you, and by letting someone borrow your key, they can easily copy all of the data off the drive, even deleted contents from the free space. --Paul Roberts

chart: Do you predict an increase in the percentage of employee-owned smartphones and tablets accessing business resources