Story image

Achieving uncompromising security without compromising privacy

01 Feb 2019

Article by Bitglass APAC head David Shephard 

Today’s employees expect to be able to use their personal mobile devices for business purposes.

This is helpful for the enterprise because allowing staff to perform their work duties from anywhere (at any time) enhances organisational efficiency, flexibility, and collaboration.

However, this approach to working can also be unhelpful since enabling ‘bring your own device’ (BYOD) in an unsecured fashion can introduce a number of security concerns.

While data security needs to be prioritised in the era of BYOD, pursuing it carelessly or overzealously can impede the productivity, freedom, and flexibility that organisations are working to enable.

This is an age where it is critical to achieve comprehensive cybersecurity without invading users’ privacy, hindering their mobility, or impeding their efficiency.

Naturally, this raises a question about how organisations can best accomplish this.

In their quest to protect corporate data on personal devices, most organisations turn to mobile device management (MDM) or mobile application management (MAM).

These security tools require the installation of agents on all employees’ personal devices so that IT can keep an eye on the corporate data on said endpoints.

Unfortunately, in this agent-based approach, all personal traffic on the device is also monitored.

This includes users’ private banking activity, social networking, and a whole host of other information that is irrelevant to the enterprise.

At the outset, setting up and maintaining MDM is a logistical headache.

First, IT teams have to install the software across hundreds to hundreds of thousands of devices – then they have to make sure that all agents are regularly updated and maintained.

This endeavour is hindered by the fact that employees tend to resist agents because they can invade user privacy and harm device functionality.

A recent experiment by Bitglass tested the extent to which an unscrupulous member of the IT team could potentially monitor and control a personal device without the owner’s knowledge. The study found that, by routing traffic through the same proxies used to manage devices, it’s possible to capture any browsing activity and even transmit login details back to the company in plain text.

It’s also possible to monitor outbound and inbound communications, force GPS to remain active to track locations and out-of-work habits, and remotely restrict device functionality.

If an employee were to change jobs, a company could implement a full device wipe, meaning that all data (personal contacts, photos, videos, and more) would be erased.

Times are changing, and people are increasingly concerned about the extent to which their privacy is being compromised.

With the rise of data protection regulations and the constant barrage of breaches in the news, it is sensible that privacy is a concern for both organisations and their employees.

Consequently, it came as no surprise when a study found that more than half of employees choose not to participate in their companies’ BYOD programs because of privacy concerns.

All too often, IT managers are forced to choose between having too much visibility (and invading user privacy) or having weak data and threat protection for BYO devices. Obviously, this dichotomy is not ideal.

Instead of buying into the status quo, organisations must implement a comprehensive, agentless security solution designed for BYOD environments.

These types of solutions are focused on securing corporate data wherever it goes – not locking down the devices that are used to access said data.

In light of the growing employee backlash over agent-based tools in BYOD environments, agentless technologies are more needed than ever before.

Fortunately, with agentless cloud access security brokers (CASBs), organisations can rest assured that their BYOD programs are properly secured.

While employee training and education are key components of any cybersecurity strategy, the enterprise must also leverage adaptive security technologies that can protect the growing number of attack targets (cloud apps and devices) from evolving threats.

With data-centric security, companies can thoroughly defend their sensitive information while still enabling employee productivity and flexibility.

Achieving uncompromising security without compromising user privacy creates a win-win situation for both enterprise and employee.

Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.
How blockchain could help stop video piracy in its tracks
An Australian video tech firm has successfully tested a blockchain trial that could end up being a welcome relief for video creators and the fight against video piracy.