BYOD is a big deal in the modern workplace. Research shows that nearly all (95%) companies permit employee use of personal devices for work purposes, and as many as 87% of organizations actually depend on some level on employees being able to access work-related apps and services from their own devices.
Unfortunately, BYOD also introduces massive new security risks. Forty percent of large data breaches are caused by lost or stolen devices, and half of organizations that allow BYOD have been breached via employee-owned devices.
The use of PDAs, smartphones, iPads, and personal laptops can thus leave the company open to loss of data by both the theft of the device and interception of wireless communications, especially in environments like a coffee shop or airport that offer free and unsecured Wi-Fi connections.
Favor app-less security.
One strategy: app-less or agentless security. Enterprise applications should be securely accessible without installing apps on each device. That’s because locally stored apps are riskier. They can increase potential attack surface area, increase the amount of sensitive data stored on the device, and increase the volume of software that needs to be kept continuously updated. Additionally, app-less services mean that data access can be monitored, controlled, and even shut off from the source, leaving little-to-no data exposed on local devices. If there is a breach, it can be dealt with immediately and the impact lessened, if possible.
Instead, require employees to use a secure cloud-based remote access VPN gateway that allows security and control to stay within the company and/or to use services that are based out of secure cloud environments like Amazon GovCloud. ERM solutions, for example, should be accessible with just a cloud sign-on and not necessarily require the installation of a separate, standalone app on the device.
Also make sure you continue to enforce normal security protocols on individual devices. For example, role-based security protections – restrictive, custom access protocols determined by the employee’s job and security level – should apply no matter where or how the employee accesses records.
Have contingency plans already in place.
If nearly half of data breaches are the result of lost or stolen devices, organizations need to have clear plans and policies in place to deal with that situation. To start, employees must immediately report the loss or theft, but this step alone introduces a lot of questions:
- To whom should they report the loss or theft?
- What information do they need to provide?
- What additional steps should the employee take?
- Then, what actions does IT need to take (e.g., locking the device remotely, wiping data, resetting the user’s passwords)?
- Who is responsible for taking those actions?
These kinds of questions need answering before the problem occurs, and to ensure consistency, they need to be enshrined in formal written policies.
Think carefully about your policies, though. Avoid creating inadvertent barriers to desirable actions. For example, if your policies include penalties for employees losing devices, you might inadvertently disincentivize them from reporting the lost device, which could lead to a worse security failure over time.
Train and educate users.
Employees also need to be instructed on any policies relating to BYOD usage, including what to do if there’s a security lapse.
More than anything, however, it’s key to educate users about how to use their own devices securely. For example, secure, private, or privileged content should not be transmitted via text message or normal email, neither of which are secure. So, users should not download records to the personal device and then send them via SMS to a work colleague. But many workers won’t even realize it’s a potential security lapse unless they’re specifically instructed.
Similarly, one of the biggest security threats to employees using their personal device are targeted phishing attacks. Government workers in particular are at high risk of phishing attack from foreign adversaries, and it’s important that any government worker using their own device for work purposes understand how to recognize and respond to phishing attempts.
About PSL
PSL is a global outsource provider whose mission is to provide solutions that facilitate the movement of business-critical information between and among government agencies, business enterprises, and their partners. For more information, please visit or email info@penielsolutions.com.