Be allowed to ban: how implement the concept of BYOD and not to harm information security

image

Every year more and more companies in one form or another have been implementing the concept of BYOD. According to a study by Global Market Insights by 2022 the volume of the BYOD market will exceed 366 billion, and Cisco reports that 95% of organizations in one form or another allow the use of personal devices in the workplace, and this approach saves $ 350 per year per employee. At the same time BYOD creates a lot of complexity to it and a lot of various risks for the company.

The ability to perform work tasks with the help of gadgets many perceive as an element of freedom, progressive approach to the relationship company-employee and generally a typical example of the strategy of win-win. In General, there is no reason to doubt the employee uses for solving problems of hardware, which I chose, and the company gets an employee who is always connected and does the job even after hours. According to Frost & Sullivan, BYOD adds to the working time of employees to 58 minutes a day and increases productivity by 34%.
Despite the benefits of BYOD creates problems — problems of incompatibility and timely installation of security updates, theft and damage to personal devices. And this is only a small part of the headaches you have to endure in the name of convenience. About how to solve these problems, while maintaining a balance between safety and efficiency, will be discussed in this post.
BYOD
Stands for Bring Your Own Device, or “bring your own device”. In 2004 VoIP service provider BroadVoice has proposed to connect its network equipment customers and identified such a way as BYOD. In 2009, Intel has “updated” the concept of BYOD, a few extending its value. With a light hand Intel, the term has come to mean the use by employees of personal devices to solve business problems.
Since the strict definition of no BYOD in different organizations this concept can be understood in different ways. For example, some companies allow employees to use personal devices for work, but all communication costs repair and the employee is responsible. Other companies compensate for these costs, or you connect employees to the corporate contract.
As in the case of BYOD, the company does not select the devices that employees use, a full-length raises the problem of compatibility. To fix it, at the same time deciding questions of financial law, allows CYOD is another similar BYOD concept.

CYOD
The acronym CYOD stands for Choose Your Own Device — “choose your device”. In the framework of this concept, the employee can select from a list of standard devices that will best enable it to meet its objectives. Depending on corporate policy CYOD can allow or prohibit the use of corporate devices for personal purposes.

COPE
This term stands for Corporate-Owned, Personally Enabled and means that the selected employee devices are purchased by the company, but their setup and maintenance he does himself. As a rule, COPE suggests the possibility of using the device for personal purposes.

ROSA
POCE — Personally owned, company enabled, “purchased by the employee, permitted in the company”. In fact, it is just another name for BYOD.

The benefits of BYOD

For employees
• one device for personal and work tasks (if it’s not against corporate policy),
• the possibility of using the new device models,
• mobility,
• flexible schedule
• remote work.

For the company
• cost reduction — companies do not have to purchase devices for employees,
• increased motivation of employees,
• availability of staff outside working hours,
• higher efficiency of urgent matters,
• reduced office space needs.

Risks and threats of BYOD

The risks associated with BYOD — a natural consequence of the advantages of the concept. The more freedom given to employees using personal devices to interact with the company’s network, the more potential damage they can cause.

The loss or theft of the device
If the employee will lose a laptop, which did work for the company, it will create a lot of problems. Over time the device will inevitably accumulate corporate documents, including confidential and documents containing personal information. Leakage of such information is likely to result in penalties, competitors or attackers can use them for blackmail or just to sell on the black market of cybercriminals who are organizing or targeted phishing attacks.
But in addition to the documents on the device stored credentials for access to the corporate network and/or encryption keys recorded in the registry, not to bother with tokens. Using this information, an attacker could penetrate the network to steal everything what will be able to reach, to install malware.
Another issue is that, deprived of their working tools an employee can’t do what he is paid. This issue needs to be solved as quickly as possible. If a large Corporation is likely to be able to pick up the equipment from the reserve in a startup in the luxury to not count.

Vulnerability and malware
It is obvious that the staff working on the scheme BYOD, will use their devices to not only work, but personal problems. When you are finished, they will watch online video, look for essays for kids and play games downloaded from torrent trackers. And with non-zero probability, so will their children.
The result of such frivolity, as a rule, are not too inspiring: on the device appear malicious spyware, encryption, and backdoors. When connected to the corporate network, the entire set malware will look for a new victim. And it is possible that you will find. But even without this the stolen logins, passwords, and details of corporate credit cards will benefit.
Even if the employee behaves responsibly, does not visit suspicious websites and do not download pirated software, there remains the problem of phishing emails, as well as maintaining OS and applications up to date. Using known vulnerabilities, the malware can infect the device independently or with minimal participation of the user clicks on the link in the email is very similar to an ordinary letter of the counterparty.

Mobility as a problem
Travel use of equipment in the framework of BYOD means not only an increased risk to lose a favorite gadget, but also the risks associated with privacy. Fans work in coffee shops and other public places do not take into account the fact that
• they are in sight of strangers and cameras, and this means that the password they enter, and documents that work, are the public;
• using a public Wi-Fi networks at airports and hotels carries the risk that the transmitted information is intercepted, or the device will enter the malicious script;
• active use of mobile Internet in roaming can lead to financial losses.

How to protect yourself?

The risks posed by BYOD cannot be excluded completely. But combining organizational and technical measures, you can minimize or even completely eliminate the damage. As the main ways to ensure BYOD security allocate virtualization, manage mobile devices, applications, and data, and intelligent systems endpoint security.

Virtualization
The beauty of this technology is that the user’s device is operated solely for access to a virtual workplace. All documents and programs are also located there and are not copied to the device. Service virtual jobs doing it-specialists, so all that is required of the employee to keep secret details to access to the corporate network. It will not help if the device will penetrate the spyware but will eliminate data loss in case of theft.

MDM, MCM, MAM and other mobile device management
System mobile device management centrally manage all BYOD zoo, setting restrictions on the documents on the resources to which the user has access and the operations that it can perform when connecting to the corporate network.
For example, the Microsoft Intune supports devices based on Windows, macOS, iOS, Android, and allows administrators to:
• automatically remove corporate data if the device is not connected to the service within a given time;
• set the ban to the protection of corporate information in any location except the “OneDrive for business”;
• to request a PIN code or a fingerprint to access the Office applications;
• prevent copying of corporate data from Office to personal application.
This kind of solution to manage mobile devices offering the Apple (Apple MDM), Citrix XenMobile, Cisco — Meraki, Trend Micro Mobile Security for Enterprise and a number of independent manufacturers.

Protecting BYOD
Even the most advanced control will not help if the device will penetrate malware, so in the case of BYOD as a mandatory component necessary to use security solutions class XDR (X Detection and Response, where X corresponds to a variety of corporate environments). Such systems are able to detect and help stop unknown threats, providing monitoring of all information systems in the enterprise. The XDR approach to Trend Micro includes subsystem EDR (Trend Micro Apex One), which forms a multi-layered security of endpoint devices, and networking products are Deep Discovery that can identify threats on the nodes without security agents.

In the end

Uncontrolled use of BYOD can be a huge problem. To fully experience all the advantages of the use of personal devices for solving business problems, it is necessary to consider the risks and to protect the network perimeter and the devices users. An additional layer of protection will ensure the development and implementation into everyday practice security policies, which can target users in the process. Source

Leave a Reply

Your email address will not be published. Required fields are marked *