Story image

Opinion: BYOD can be secure with the right measures

25 Mar 2019

By Bitglass CTO Anurag Kahol

Bring your own device (BYOD), in which employees work from personal devices such as mobile phones and laptops, is quickly becoming the norm in today’s business environment.

Companies that embrace BYOD are giving employees more freedom to work remotely, resulting in increased productivity, cost savings, and talent retention.

85% of organisations now allow BYOD for at least some of their stakeholders, including employees, contractors, partners, customers, and suppliers.

However, BYOD does change an organisation’s threat landscape and requires security tools that differ from those used to protect managed devices.

Some believe that BYOD is inherently riskier than the traditional way of operating.

Consider the following findings from a recent report on BYOD and security:

  • One in five organisations lacks visibility into basic, native mobile apps on personal devices
  • Only 56% of companies employ key functionality like remote wipe for removing sensitive data from endpoints
  • 43% of organisations don’t know if any BYO or managed devices downloaded malware, indicating a significant lack of visibility
  • 24% of organisations don’t secure email on BYOD at all.

These statistics indicate that companies are not entirely prepared to secure data in BYOD environments.

In addition to the above, 51% of respondents believe that the volume of threats targeting mobile devices will continue to increase.

Because many BYO devices are personal mobile endpoints, these trends continuing unabated will lead to many breaches in the future.

While 15% of companies still do not allow BYOD, it is possible that in the coming years, they will alter their practices in order to maintain a competitive stance in the market.

Additionally, when implementing BYOD, it is essential that these organisations add proper security controls concurrently – not weeks, months, or years after the fact.

Some of these controls include the following:

  • Single sign-on (SSO): The absolute minimum requirement for basic identity and access management (IAM) in cloud and BYOD environments. SSO serves as a single entry point which securely authenticates users across all of an enterprise’s cloud applications.
  • Multi-factor authentication: A tool that requires a second method of identity verification before employees or other users are allowed to access resources.
  • For example, after inputting their passwords, users may be prompted to verify their identities through an SMS token sent via email or text, Google Authenticator, or a hardware token that they carry physically.
  • User and entity behaviour analytics (UEBA): Analytics that provide a baseline for normal user activity and detect anomalous behaviour and actions in real time, allowing IT departments to respond accordingly and automatically.
  • Data loss prevention (DLP): Various tools capable of allowing, blocking or providing intermediate levels of data access; for example, through redaction, digital rights management (DRM), and more.
  • Selective data wipe: This allows administrators to wipe all corporate data from a device without affecting personal data; for example, photos, contacts, calendar events, emails, text messages, and other items.

In BYOD environments, employing all of these tools and best practices requires that organisations leverage agentless solutions deployed in the cloud.

Tools that demand software installations on personal devices invade user privacy and harm device functionality.

This frustrates employees, impedes deployments, and counters the many benefits of BYOD.

Fortunately, agentless tools are capable of securing data without these disadvantages – all while offering highly specialised capabilities.

For example, agentless advanced threat protection can detect and halt threats as they are uploading to an application, as they are being downloaded to a device, or when they are at rest within the cloud.

BYOD can be fully secured if companies leverage the proper tools.

However, organisations that insist on securing personal devices with the same strategies used to protect corporate endpoints will continue to find that they are incapable of protecting their data.

Through an agentless approach that leverages the above tools, companies can embrace the benefits of BYOD without compromising on data protection.

Industrial control component vulnerabilities up 30%
Positive Technologies says exploitation of these vulnerabilities could disturb operations by disrupting command transfer between components.
McAfee announces Google Cloud Platform support
McAfee MVISION Cloud now integrates with GCP Cloud SCC to help security professionals gain visibility and control over their cloud resources.
Why AI and behaviour analytics should be essential to enterprises
Cyber threats continue to increase in number and severity, prompting cybersecurity experts to seek new ways to stop malicious actors.
Scammers targeting more countries in sextortion scam - ESET
The attacker in the email claims they have hacked the intended victim's device, and have recorded the person while watching pornographic content.
Cryptojacking and failure to patch still major threats - Ixia
Compromised enterprise networks from unpatched vulnerabilities and bad security hygiene continued to be fertile ground for hackers in 2018.
Princeton study wants to know if you have a smart home - or a spy home
The IoT research team at Princeton University wants to know how your IoT devices send and receive data not only to each other, but also to any other third parties that may be involved.
Organisations not testing incident response plans – IBM Security
Failure to test can leave organisations less prepared to effectively manage the complex processes and coordination that must take place in the wake of an attack.
65% of manufacturers run outdated operating systems – Trend Micro
The report highlights the unique triple threat facing manufacturing, including the risks associated with IT, OT and IP.