Between travel schedules and flexible work arrangements, devices that provide remote access to your organization's servers are a necessary part of the modern business environment. Laptops, mobile devices, tablets and USB thumb drives make it easier for employees to carry out their work functions, but they also complicate your organization's cybersecurity strategy. In the second part of our series, Seven Ways to Strengthen Cybersecurity, we will examine controls for portable devices in more detail.
Physically, portable devices are easier to misplace than traditional desktop monitors and computers. Lost devices rank among the more common ways unauthorized users can gain access to your system. According to the Verizon Wireless 2016 Data Breach Investigation Report, lost devices were involved in nearly 10,000 information security incidents in 2015. Leaving devices unattended outside of work can also put your company's data at risk.
Logistically, the devices can be harder to secure as well. Employees may be accessing your servers through personal devices, which means IT departments will not have the same level of control as it would over a company-owned device.
Further complicating this fact is the vulnerability of mobile devices. Hackers and other unauthorized users are increasingly using mobile phone applications to gain access to devices. Applications disguised as games or ad blockers can contain malware that opens the door for unauthorized access to the device, which can leave mobile applications used for work functions susceptible to intrusion. Computer applications have similar weaknesses. The 2016 Trust Wave Global Report found 97 percent of applications tested had one or more high-risk vulnerabilities.
The responsibility comes down to management to ensure mobile devices used for work have adequate security and that employees are aware of the risks in devices they use to access your organization's data.
Quantifying Your BYOD Risk
Whether you have a policy of bringing your own devices (BYOD) to work, employees likely have some form of portable electronic device they use to access your system. Protecting the security of the system requires management to understand which types of BYOD they have and what controls are in place over the devices.
The following questions provide a good starting point for conversations over mobile device security with your employees:
- What BYOD are allowable (tablets, smartphones, etc.) and non-allowable (USB devices from home, recording devices, etc.)?
- What company data are allowable on the BYOD?
- Are their backups of the data on mobile devices?
- Are the BYOD devices and company-issued devices fully encrypted?
- Are BYOD devices controlled by your company's IT? Can they be erased remotely if lost or stolen?
- Are the wireless connections controlled by IT, secured by user IDs and complex passwords, and are the data channels encrypted?
- Is there a predefined number of unsuccessful login attempts on a mobile device before the device is locked and/or wiped?
- How are lost or stolen devices reported to IT and handled? Are the reports to IT timely and addressed appropriately?
- How are suspicious devices that attempt to connect to wireless connections identified and reported to management?
Steps to Take Today to Minimize Your Risk
Organizations need to gather information about their BYOD, if they have not done so already, to minimize their cybersecurity risk.
Mobile devices pose one of the largest threats because of their prevalence of use. Your organization should evaluate its practices related to mobile devices to ensure the device is configured so that authorized mobile codes operate to a clearly defined security policy. Any unauthorized mobile code should have measures that prevent it from completing the attempt to access your network.
It is also important to take an inventory of policies related to information technology security and other types of mobile devices that are relevant for employees mobile device use during their course of business. This may include file transfer sites and thumb drives. Review all policies related to network access annually. Depending on the prevalence of BYOD in your organization, you may want to distribute copies of the BYOD policies for annual acknowledgement from your employees.
Whether you decide to distribute findings from your annual reviews of information security policies, be sure you have ongoing security awareness training for employees. The human element is often manipulated in a cybersecurity incident, and if employees can identify what phishing and social engineering attacks may look like, they can better protect the organization from a breach.
For More Information
If you have any specific comments, questions or concerns about how to strengthen your cybersecurity policy, please contact us.
Seven Ways to Strengthen Your Cybersecurity
- Monitor the Human Element
- Secure the Small Things
- What We Can Learn from Other Incidents
- Know Your State Notification Laws
- Questions to Ask About Third-Party Providers
- Logical Security
- What Management Should Know About the IT Environment
Published on August 17, 2016