United StatesChange Country
Business Class

January 24, 2014

BYOI: The Number-One Risk To Your Company's Security

Robert Siciliano CSP

CEO, IDTheftSecurity.com Inc

Summary

When employees bring their own devices to work, you need to make sure BYOD doesn't turn into BYOI (bring your own infection).

When we lose things or things get stolen, it costs us time and money. But it's not just our time and money that's at stake—even our brands and reputations can be severely damaged. When digital devices like laptops, smartphones and tablets are lost or infiltrated by cyber criminals, the disaster can cost thousands, even millions, of dollars. Employees, not just business owners and other key figures in the workplace, need to understand the severity.

The average consumer has three to six personal devices. That means at least one to two of those devices will end up connecting to your company's network and accessing company files. It also means a proliferation of security problems resulting from BYOD—bring your own device. It’s gotten so bad that there’s a new acronym in town, BYOI—bring your own infection.

BYOD is a double-edged sword. On one hand, it brings remarkable benefits to the work site. Employees can also stay connected to their job duties when they’re not in the office for whatever reason. But with all this good, comes the bad: the threat of compromised data.

A BYOD Disaster

What does a BYOD disaster look like? Imagine this: Your company's major competitor needs an upper hand to survive. Desperate times lead them to hire an HAAS—Hacking As A Service—to infiltrate your network to find out why you can bid so low on contracts.

An employee receives an email on his personal laptop via his personal address. This email has been sent by a HAAS criminal, who found the employee on a social network, listing his employer in his profile. The email, when opened, infects his personal laptop with a virus that allows the criminal to see every keystroke your employee makes going forward.

Once your employee logs into his corporate email from his personal device, it’s game over. The criminal now has access to the employee's email, which in turn provides a slew of documentation that allows him to dig deeper into the corporate network. Own the email, own the person. Worse, the criminal now uses the employee's email to communicate with other employees listed in his address book and sends a similar virus-laden email to infect their devices.

It’s just a matter of time until all your company's trade secrets are in the hands of your competition.

Understand And Accept The Truth

Ignorance is not bliss; it’s expensive and can kill your business. Owners and managers of businesses typically lack insight into just how much of a security risk these home-brought devices can pose. The risks could be an infection with a virus, or it can be an employee who fails to use a PIN or doesn’t encrypt data.

Business owners and other decision makers have been tackling this problem with platform-specific policies. The number of platforms available continues to increase.

Another thing to keep in mind is that cyber criminals all have one thing in common: They commit their acts via the Internet. Therefore, it doesn’t matter where a device is or where it comes from—a smartphone that’s only used at the workplace, a smartphone or tablet brought from the employee’s home, or your company's internal computer systems—all these devices have the Internet as a common thread.

It's time to fight back, and ensure your data's and company's security once and for all:

1. Develop a strategy. There should be a fully organized plan of defense and mitigation. The kinds of data that employees access should be inventoried. The smartphone and tablet should be regarded with as much protective actions as the company’s internal systems.

2. Establish a policy. To prevent confusion over how a company’s email and data can be used on smartphones, guidelines must be created and administered. These guidelines will encourage employees to use caution. Plus, guidelines make it impossible for employees to claim they didn’t know about the potential problem, should a problem arise from careless use. Guidelines must also spell out what employees can and cannot do with their devices.

3. Train employees. Most employees mean well; they just don’t know that their actions can compromise security. They must be taught about risks and how to solve problems to avoid disaster.

4. Consider the requirements of compliance. When deciding upon company policy, decision makers must keep the requirements of compliance in mind.

5. Use mobile device management software (MDM). MDM is the foundation in which mobile devices are remotely controlled by corporate IT managers. Laptops, smartphones and tablets (and in some cases desktops) should have an application that allows the device to be monitored, so if it’s lost, it can be located, locked, and the data can be wiped if necessary. This management application is also responsible for implementing various security technologies such as antivirus, firewall and encryption abilities.

MDM is something that the employee or potential employee would have to agree to. Failure to agree to the installation of MDM on BYOD might mean failure to hire someone, or employee termination.

How strong are your BYOD policies? Do you feel confident in your company's security? Share with us in the comments.

Robert Siciliano is the author of four books, including The 99 Things You Wish You Knew Before Your Identity Was Stolen. He is also a corporate media consultant and speaker on personal security and identity theft. Find out more at www.RobertSiciliano.com.

Read more articles on small-business security.

Photo: Thinkstock

 

When we lose things or things get stolen, it costs us time and money. But it's not just our time and money that's at stake—even our brands and reputations can be severely damaged. When digital devices like laptops, smartphones and tablets are lost or infiltrated by cyber criminals, the disaster can cost thousands, even millions, of dollars. Employees, not just business owners and other key figures in the workplace, need to understand the severity.

The average consumer has three to six personal devices. That means at least one to two of those devices will end up connecting to your company's network and accessing company files. It also means a proliferation of security problems resulting from BYOD—bring your own device. It’s gotten so bad that there’s a new acronym in town, BYOI—bring your own infection.

BYOD is a double-edged sword. On one hand, it brings remarkable benefits to the work site. Employees can also stay connected to their job duties when they’re not in the office for whatever reason. But with all this good, comes the bad: the threat of compromised data.

A BYOD Disaster

What does a BYOD disaster look like? Imagine this: Your company's major competitor needs an upper hand to survive. Desperate times lead them to hire an HAAS—Hacking As A Service—to infiltrate your network to find out why you can bid so low on contracts.

An employee receives an email on his personal laptop via his personal address. This email has been sent by a HAAS criminal, who found the employee on a social network, listing his employer in his profile. The email, when opened, infects his personal laptop with a virus that allows the criminal to see every keystroke your employee makes going forward.

Once your employee logs into his corporate email from his personal device, it’s game over. The criminal now has access to the employee's email, which in turn provides a slew of documentation that allows him to dig deeper into the corporate network. Own the email, own the person. Worse, the criminal now uses the employee's email to communicate with other employees listed in his address book and sends a similar virus-laden email to infect their devices.

It’s just a matter of time until all your company's trade secrets are in the hands of your competition.

Understand And Accept The Truth

Ignorance is not bliss; it’s expensive and can kill your business. Owners and managers of businesses typically lack insight into just how much of a security risk these home-brought devices can pose. The risks could be an infection with a virus, or it can be an employee who fails to use a PIN or doesn’t encrypt data.

Business owners and other decision makers have been tackling this problem with platform-specific policies. The number of platforms available continues to increase.

Another thing to keep in mind is that cyber criminals all have one thing in common: They commit their acts via the Internet. Therefore, it doesn’t matter where a device is or where it comes from—a smartphone that’s only used at the workplace, a smartphone or tablet brought from the employee’s home, or your company's internal computer systems—all these devices have the Internet as a common thread.

It's time to fight back, and ensure your data's and company's security once and for all:

1. Develop a strategy. There should be a fully organized plan of defense and mitigation. The kinds of data that employees access should be inventoried. The smartphone and tablet should be regarded with as much protective actions as the company’s internal systems.

2. Establish a policy. To prevent confusion over how a company’s email and data can be used on smartphones, guidelines must be created and administered. These guidelines will encourage employees to use caution. Plus, guidelines make it impossible for employees to claim they didn’t know about the potential problem, should a problem arise from careless use. Guidelines must also spell out what employees can and cannot do with their devices.

3. Train employees. Most employees mean well; they just don’t know that their actions can compromise security. They must be taught about risks and how to solve problems to avoid disaster.

4. Consider the requirements of compliance. When deciding upon company policy, decision makers must keep the requirements of compliance in mind.

5. Use mobile device management software (MDM). MDM is the foundation in which mobile devices are remotely controlled by corporate IT managers. Laptops, smartphones and tablets (and in some cases desktops) should have an application that allows the device to be monitored, so if it’s lost, it can be located, locked, and the data can be wiped if necessary. This management application is also responsible for implementing various security technologies such as antivirus, firewall and encryption abilities.

MDM is something that the employee or potential employee would have to agree to. Failure to agree to the installation of MDM on BYOD might mean failure to hire someone, or employee termination.

How strong are your BYOD policies? Do you feel confident in your company's security? Share with us in the comments.

Robert Siciliano is the author of four books, including The 99 Things You Wish You Knew Before Your Identity Was Stolen. He is also a corporate media consultant and speaker on personal security and identity theft. Find out more at www.RobertSiciliano.com.

Read more articles on small-business security.

Photo: Thinkstock