Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

10/10/2012
12:55 PM
50%
50%

BYOD: Filling The Holes In Your Security Policy

Allowing personal mobile devices at work can create new risks for your enterprise. Is your security policy ready?

Jesse Kornblum isn't your typical road warrior. As a computer forensics research guru (yes, that's his title) at Kyrus, a managed security services and consulting firm, he knows his stuff when it comes to information security.

But when traveling abroad, Kornblum is the first to admit that he's scared--or at least wary--that his security know-how won't be enough to protect him and his employer.

Take his upcoming business trip to Brazil. "Look, I'm a single guy, and Brazil is known for partying." It's likely that a new acquaintance or acquaintances will visit his room and have proximity to his phone or laptop, he says. Drive copying is a threat, as is outright theft of a device or information. A more sophisticated attacker might plant software on Kornblum's phone or laptop and monitor remotely.

Kornblum's concerns aren't the ravings of a computer forensics expert who has picked over the bloody remains of one too many network hacks. HD Moore, the CTO of security firm Rapid7, says that when he goes abroad, he brings a bare-bones netbook with data encryption installed and a BIOS and drive password enabled.

Moore also improvises anti-tamper features. He's been known to saw his netbook's case screws in half and pack the empty space in the screw holes with mashed Altoids to reveal if anyone had opened the device. Once when he left his netbook unattended in a Shanghai hotel room, he returned to find the powder gone from the screw hole and the BIOS password wiped, he says.

Like Kornblum and Moore, businesses everywhere are wrestling with security challenges posed by their increasingly mobile workforces. The reasons for this are clear: The workplace is undergoing its biggest transition since the desktop PC and client-server architecture displaced office mainframes more than two decades ago. This time around, it's PCs that are on the losing end to a ragged brigade of powerful, consumer-oriented mobile devices that include laptops, smartphones, and tablets in growing numbers.

The bring-your-own-device transition is transforming the workplace but also creating new risks for companies that plunge in without forethought and planning.

What's At Stake

A Forrester Research survey suggests that supporting employee-owned mobile devices isn't about letting people play Angry Birds at the office. More than three-quarters of employees who use smartphones at work and 63% who use tablets access their company intranet or portal sites using their mobile devices, according to a Forrester Research survey of 70 senior-level decision-makers at U.S., Canadian, U.K., and German companies. Fully 82% of those respondents say they use smartphones to read or view documents, presentations, and spreadsheets for work. Mobile enterprise users are going beyond Microsoft Outlook to tap into applications such as SharePoint, WebEx, and Documentum.

Businesses are throwing the doors open to mobile devices. Seventy-two percent of technology pros expect increased use of employee-owned devices accessing business resources, according to the InformationWeek 2013 Mobile Device Management and Security Survey of 307 business technology pros.

The transition to BYOD policies is happening across the board, with Apple iPads and iPhones and Android phones overwhelmingly leading the charge.

Unfortunately, the increase in employee-owned mobile devices hasn't been accompanied by security policies and tools to manage them. "Most companies still have no formalized policies," says Vanja Svajcer, a principal researcher at SophosLabs, the malicious code research group at antivirus software developer Sophos PLC. They might have existing policies for PCs, he says, and with BYOD, companies must either relax those policies or adjust them to accommodate mobile devices. That means having IT help employees connect their personal devices to network resources such as the office Wi-Fi network, the Microsoft Exchange email server, or a content management system.

Consulting firm PricewaterhouseCoopers found that 36% of the companies it polled in its 2012 Global State of Information Security Survey had a mobile device security strategy in place. Personal device use is the norm at Kyrus, but Kornblum admits that the company doesn't have hard and fast rules around employees' use of those devices. "We're a small company with fewer than 15 employees," he says. "We talk frequently about people not being stupid, and our business is examining how security goes wrong."

At less-security-savvy firms, the "give access now and secure later" approach can increase risk across the board, including everything from lost devices and stolen data to the use of vulnerable software and questionable apps.

Previous
1 of 4
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
parmerchristian
50%
50%
parmerchristian,
User Rank: Apprentice
11/5/2012 | 7:56:43 PM
re: BYOD: Filling The Holes In Your Security Policy
82% of those respondents say they use smartphones to read or view documents, presentations, and spreadsheets for work - this is the reality, but also it is a large security risk. The article makes important points about BYOD policy, and it is criticle to have a good policy. Also important is education of that policy. We changed our BYOD to have all doctors use a HIPAA compliant text messaging app called TIgertext to send patient info, but the adoption rate was very low, until we brought every docotr in, explained the policy, what we have it, and how to use the app. Now was have about a 97% use rate.
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
CVE-2019-18197
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...
CVE-2019-4409
PUBLISHED: 2019-10-18
HCL Traveler versions 9.x and earlier are susceptible to cross-site scripting attacks. On the Problem Report page of the Traveler servlet pages, there is a field to specify a file attachment to provide additional problem details. An invalid file name returns an error message that includes the entere...