Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

10/10/2012
12:55 PM
50%
50%

BYOD: Filling The Holes In Your Security Policy

Allowing personal mobile devices at work can create new risks for your enterprise. Is your security policy ready?

Jesse Kornblum isn't your typical road warrior. As a computer forensics research guru (yes, that's his title) at Kyrus, a managed security services and consulting firm, he knows his stuff when it comes to information security.

But when traveling abroad, Kornblum is the first to admit that he's scared--or at least wary--that his security know-how won't be enough to protect him and his employer.

Take his upcoming business trip to Brazil. "Look, I'm a single guy, and Brazil is known for partying." It's likely that a new acquaintance or acquaintances will visit his room and have proximity to his phone or laptop, he says. Drive copying is a threat, as is outright theft of a device or information. A more sophisticated attacker might plant software on Kornblum's phone or laptop and monitor remotely.

Kornblum's concerns aren't the ravings of a computer forensics expert who has picked over the bloody remains of one too many network hacks. HD Moore, the CTO of security firm Rapid7, says that when he goes abroad, he brings a bare-bones netbook with data encryption installed and a BIOS and drive password enabled.

Moore also improvises anti-tamper features. He's been known to saw his netbook's case screws in half and pack the empty space in the screw holes with mashed Altoids to reveal if anyone had opened the device. Once when he left his netbook unattended in a Shanghai hotel room, he returned to find the powder gone from the screw hole and the BIOS password wiped, he says.

Like Kornblum and Moore, businesses everywhere are wrestling with security challenges posed by their increasingly mobile workforces. The reasons for this are clear: The workplace is undergoing its biggest transition since the desktop PC and client-server architecture displaced office mainframes more than two decades ago. This time around, it's PCs that are on the losing end to a ragged brigade of powerful, consumer-oriented mobile devices that include laptops, smartphones, and tablets in growing numbers.

The bring-your-own-device transition is transforming the workplace but also creating new risks for companies that plunge in without forethought and planning.

What's At Stake

A Forrester Research survey suggests that supporting employee-owned mobile devices isn't about letting people play Angry Birds at the office. More than three-quarters of employees who use smartphones at work and 63% who use tablets access their company intranet or portal sites using their mobile devices, according to a Forrester Research survey of 70 senior-level decision-makers at U.S., Canadian, U.K., and German companies. Fully 82% of those respondents say they use smartphones to read or view documents, presentations, and spreadsheets for work. Mobile enterprise users are going beyond Microsoft Outlook to tap into applications such as SharePoint, WebEx, and Documentum.

Businesses are throwing the doors open to mobile devices. Seventy-two percent of technology pros expect increased use of employee-owned devices accessing business resources, according to the InformationWeek 2013 Mobile Device Management and Security Survey of 307 business technology pros.

The transition to BYOD policies is happening across the board, with Apple iPads and iPhones and Android phones overwhelmingly leading the charge.

Unfortunately, the increase in employee-owned mobile devices hasn't been accompanied by security policies and tools to manage them. "Most companies still have no formalized policies," says Vanja Svajcer, a principal researcher at SophosLabs, the malicious code research group at antivirus software developer Sophos PLC. They might have existing policies for PCs, he says, and with BYOD, companies must either relax those policies or adjust them to accommodate mobile devices. That means having IT help employees connect their personal devices to network resources such as the office Wi-Fi network, the Microsoft Exchange email server, or a content management system.

Consulting firm PricewaterhouseCoopers found that 36% of the companies it polled in its 2012 Global State of Information Security Survey had a mobile device security strategy in place. Personal device use is the norm at Kyrus, but Kornblum admits that the company doesn't have hard and fast rules around employees' use of those devices. "We're a small company with fewer than 15 employees," he says. "We talk frequently about people not being stupid, and our business is examining how security goes wrong."

At less-security-savvy firms, the "give access now and secure later" approach can increase risk across the board, including everything from lost devices and stolen data to the use of vulnerable software and questionable apps.

Previous
1 of 4
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
parmerchristian
50%
50%
parmerchristian,
User Rank: Apprentice
11/5/2012 | 7:56:43 PM
re: BYOD: Filling The Holes In Your Security Policy
82% of those respondents say they use smartphones to read or view documents, presentations, and spreadsheets for work - this is the reality, but also it is a large security risk. The article makes important points about BYOD policy, and it is criticle to have a good policy. Also important is education of that policy. We changed our BYOD to have all doctors use a HIPAA compliant text messaging app called TIgertext to send patient info, but the adoption rate was very low, until we brought every docotr in, explained the policy, what we have it, and how to use the app. Now was have about a 97% use rate.
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Breaches Are Inevitable, So Embrace the Chaos
Ariel Zeitlin, Chief Technology Officer & Co-Founder, Guardicore,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19010
PUBLISHED: 2019-11-16
Eval injection in the Math plugin of Limnoria (before 2019.11.09) and Supybot (through 2018-05-09) allows remote unprivileged attackers to disclose information or possibly have unspecified other impact via the calc and icalc IRC commands.
CVE-2019-16761
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the [email protected] npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. All versions >1.0...
CVE-2019-16762
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. Affected users can upgrade to any...
CVE-2019-13581
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A heap-based buffer overflow allows remote attackers to cause a denial of service or execute arbitrary ...
CVE-2019-13582
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A stack overflow could lead to denial of service or arbitrary code execution.