Best Practices – BYOD and Mobile Device Security
BYOD (Bring Your Own Device)
BYOD (Bring Your Own Device) is a practice where employees can bring their own devices such as laptops, tablets or USB drives to the workplace. These devices belong to the employees or are sometimes approved for corporate use by the company which provides the support to these devices alongside the devices that belong to the company.
Companies need to implement BYOD policies because at the end of the day these devices are owned by the employees and not the company. So, using them inside a corporate environment might prove to be risky as all of these devices will have access to the sensitive data of the company.
While implementing BYOD, organization mainly face two main challenges which are:
Fragmentation and Complexity
The biggest challenge when an organization implements a BYOD policy is fragmentation of operating systems. Mobile operating systems unlike windows operating systems take a considerable time to roll out updates because there are different types of devices in the market. Because of this type of fragmentation, implementation of BYOD policies can become more complex. Again, majority of the market share is divided amongst android and iOS users. Android is available across different vendors and each vendor tweaks the operating system differently which can further create problems while implementing the BYOD policy. Also, delay in updates also mean delayed security patches which will directly impact the security of these devices.
Uneven adoption of policy
Another challenge that is faced by organizations is improper adoption of BYOD policies. According to statistics, majority of the organizations do not have a proper BYOD policy in place and the ones that do, do not have the policy structured according to the need of the organization.
Security experts use specific terminologies when it comes to threats that companies and organization face on a daily basis. One such widely used term is “Attack Surface” which is identified by a potential point of attack on one’s confidential information or financial assets. Any successful attempt of an attack will bring a chance of legal or regulatory infringement or damage to the reputation. The best practices dictate that exposure to attack surfaces should be reduced, hardening should be done against the attacks and “defence in depth” should be imposed. The following best practices can be implemented to help protect devices and users from unwanted exposure of data to the outside world. Some of these practices are targeted towards mobile devices whereas others are targeted to protect the data and applications with which these users need to interact.
There are some pointers that need to be in place before implementing a BYOD policy which are:
Have a solidified password policy
A lot of devices are going to be connected to the organization’s network, so weak passwords should not be used as they can be hacked easily and thereby sensitive company data can get leaked. For this reason, a strong password policy should be implemented and it should also be made sure that all the passwords are changed regularly. Sometimes, end users do not agree to this as it creates inconvenience to their usage but in the end, if security aspect is to be considered, this will add an extra layer of security.
Require device registration
Every device that is brought into the organization premises should be properly registered. Things such as Device type, Carrier, MAC address and user should be well documented and stored. By maintaining this, people who abuse the BYOD policies can be tracked down.
Limit supported platforms
A list of the types of supported platforms should be made and shared with the end users. Because there are different devices running on different types of platforms such as Windows, Linux, Android, iOS, etc. Monitoring all these platforms can be very difficult and therefore only selected platforms should be allowed on to the company network.
Educate your employees
Employees should be kept well aware in how to keep data safe on their devices and what are the risk associated with keeping the data on their personal devices. Employees should also understand the importance of keeping their AV solutions up-to-date. Training regarding to this can be given annually to the employees as a part of the company’s Cyber Security Programme.
Expand your infrastructure
The end users are going to consume more bandwidth and therefore networking equipment such as Wireless Access Points (WPAs) should be upgraded accordingly. Sometimes, the networking equipment also acts as a bottleneck and because of the that the efficiency of the whole network goes down. Due to that, all the networking equipment needs to be upgraded according to the need of the company.
Network Security should be tightened up
Network Security should be tightened up as you cannot rely on in-built firewalls. Separate hard-ware based firewalls such as SonicWall, Cisco, Palo Alto, etc. will be needed as the organization will be dealing with more traffic. Security patches will also be needed to be applied on all the servers and all the passwords in use should be solid.
Network Audits should be performed quarterly
Network audits should also be performed every quarter in order to know what devices exists on the internal network of the organization. This way, if new devices suddenly start appearing on the network, the network administrators will be able to detect them and block access accordingly.
The support policy should be redefined
The support policies for end-user devices will need to be defined as BYOD will cause the support team to spend more time than needed. The policy needs to specify: which platforms will be supported and up to what extent. It should also state that the organization will not be responsible financially for end user devices. Only those devices that follow the company guidelines will be getting the support.
Define accepted applications
The types and names of the applications that will be supported on the company network should be defined properly. A lot of applications are going to be used on the internal network of the company for example, social networking applications, games, etc. This will create a lot of pressure on the support team, but if the company has a well-organized BYOD policy, this burden can be minimized.
Mobile Device Security
Mobile Device Security best practices are recommended safeguards for protecting sensitive data that is stored on these devices. These devices are going to be used inside a corporate network because of which the need to secure the data stored on them becomes crucial. The following best practices should be implemented to ensure that the company’s data remains safe when stored on these mobile devices:
User Authentication provides the first layer of security against threats by requiring user authentication. Most of the mobile devices can be locked via a pin, a password or a passphrase, one of these authentication methods must be enabled on the device. Also, along with that, strong passwords or passphrases should be used which makes it difficult for an unauthorized person to view data he is not supposed to. This would also ensure the data would remain safe in case if the device is lost.
Encrypt the local storage
Data stored on the local storage should be encrypted. Also, the data in transit should also be encrypted, which can be done by using a VPN service. Data, once encrypted cannot be accessed without a valid decryption key, which also proves as a safe guard if the device is lost or gets into hand of an unauthorized party.
Avoid rooting/jailbreaking your device
Rooting, in case of an android enables a user to run unverified or unsupported applications on the phone. These applications may have security flaws in them which in turn can run malicious code as a super user. This applies to iOS as well, because jailbreaking can have similar impact on apple devices. Therefore, it is important to ensure that the user does not root or jailbreak his device.
Mobile OS should be updated with Security Patches
Security patches should be installed as soon as they are released. Apart from the operating system, applications should also be updated regularly. Installing these security patches and updates would resolve a lot of security vulnerabilities and threats. Generally, the option for automatic updates is not enabled every device, so it must be made sure that the user enables this feature so that application and security patches are applied on a regular basis.
Install a Mobile Security App
A well reputed security solution should be installed on the mobile device which extends the built-in security feature of the operating system on the mobile device. There are many third-party vendors such as Kaspersky, Quick-heal, Symantec, etc. which offer security solutions across all major platforms.
Remote data wipe should be enabled on all devices
It should be ensured that remote data wipe is enabled on all devices and that the users are well aware of this feature and how to use it, in case of the device being lost or stolen. Solutions such as Find my device on Android and Find my iPhone can be used on iOS devices. However, remote data wipe only works when the device has an active internet connection and is not turned off. However, there are third-party applications such as Cerebrus, that provide more control over the devices if it is lost or stolen. Such applications can be installed on these devices so that the data does not get in the hands of the wrong person.
Communicate Mobile Security best practices to employees
It is important that all these policies and best practices are clearly communicated to the employees so that they are aware of what to do and what not to do in terms of protecting their data and devices. There is a lot of confusion among the employees because these policies have not been clearly explained to the end-users which result in data leaks and other critical threats to the data stored on the devices of the end users.
To conclude, BYOD is an essential part of the 21st century for all businesses, as it provides remote working capabilities and many more advantages to company with less associated cost. Whilst there are of course many risks and factors to consider, the pros of a successful BYOD policy are too much to ignore and help form the backbone of most modern businesses.
Attack & PenTest Team