20,000 Leagues Under the BYOD

By: (ISACA Cybersecurity Fundamentals, CompTIA A+, Security+)

Publication: {"value":"The Kansas Banker"} , September 2017

Kansas Banker 2017You're standing on the edge and everyone is cheering you on! The waters look deep, blue and promising, far below. As you look around, everyone else seems to be taking the plunge, smart devices gripped tight, right into "Bring Your Own Device."

A step closer to the edge. A faint glint on the water. Is that a fin? Just a dolphin playing in the sun, you decide. You exhale, take a deep breath and then…

"Wait!" a friendly voice cries out as a figure runs frantically in your direction. It’s your auditor!

"I’m not here to spoil the fun," he says, a little out of breath. "The BYOD Lagoon is an awesome place, but there’s a few things you should know before you dive in. You read the manual, right?"

Your blank stare is telling enough.

He produces an ancient tome out of nowhere: 20,000 Leagues Under the BYOD.

"Read it, you must," he says, handing it to you.

Devices and Operating Systems

There are many types of smart devices for sale today and most of them run a handful of prominent operating systems. Some devices and even operating systems may be more secure than others. Consider the business requirements and only allow devices and software that meet those needs.

Wireless Access

Although cell phones typically have their own data connection, many other tablets, laptops, etc., do not. If your institution decides to provide (or already has) a secure place for employees to wirelessly connect devices while they are at work, there are a few avenues to ponder:

 

  • Corporate WiFi - Wireless access is an extension of the Local Area Network (LAN). This means any connected devices may have access to the internal network or file shares. Consider the risks of mobile access to these resources and whether it is possible to “isolate” these devices while still providing connectivity.
  • External WiFi - Wireless access is provided by a separate connection to an Internet Service Provider (ISP) and is completely segmented from the internal network. This method has the benefit of confining wireless devices to an external connection, which increases security, but will not be helpful if employees need to access internal resources. An additional perk to this method is the possibility of extending wireless access to guests.
  • No WiFi - Employees must rely on personal/corporate data plans or WiFi connections from home or other places they may remotely work. If a limited number of employees are approved for BYOD, it may not make sense to provide WiFi for those devices. Employees must be trained to practice good security habits if they will be using devices on open or unknown networks outside of the institution.

 

Passwords

We put great emphasis on strong passwords for traditional computer equipment, but the same philosophy should extend to mobile devices used for business purposes as well. Consider your institution’s current password policy and implement requirements for mobile devices including length, complexity, frequency of change and failed attempt (usually lock out or data wipe) consequences.

Lost or Stolen Devices

All devices enrolled in a corporate BYOD program should have the following technologies in place in the event they are lost due to accident or theft:

 

  • Remote Data Wipe – most modern mobile device management suites will have the ability to send a command to a lost or stolen device that will initiate a full data wipe. Ensure that these options are available and implemented as part of the device enrollment process.
  • Encryption – the last line of defense against data theft is to require encryption of the internal storage medium (as well as any removable SD cards for smart phones). An encrypted device’s data is inaccessible to anyone unable to decrypt it. Data is typically decrypted by a password or fingerprint at login, so making sure strong passwords or biometric security is in place is equally important.

Policy

A BYOD policy and user agreement should be assembled and submitted to the IT committee and Board of Directors for initial approval. Users should understand the agreement and sign it to indicate they are aware of the risks and rules associated with using a mobile device for business purposes. Implementing the policy protects both employees and the institution by making clear the expectations for using mobile devices in a corporate environment.

Diving In

Feeling full of knowledge, you close the tome and look up at your auditor. Just like that, he vanishes into thin air with an approving nod and a smile.

While the waters of "Bring Your Own Device" may look calm from the shore, it’s only when you dive in that you truly see what lurks below. With proper thought, preparation and planning, you and your employees will be able to navigate the ever changing seas of BYOD.