E
s
p
io
n
Executive Summary
Mobile devices such as smart phones, tablets, or laptops enable employees to harness consumer technology with greater benefit in the workplace. Employees are increasingly presenting business cases in favour of BYOD that add value to the business.
This document aids readers in understanding and mitigating the security challenges, enterprise risks and data concerns associated with employees using personal devices for work related endeavours. Risks addressed include unauthorised access to the corporate network, data loss, data leaks, data breaches, data privacy issues, and data exposure via social media (intentional or unintentional).
Organisations permitting BYOD in the workplace face serious challenges from a range of perspectives including; enterprise risk, information security, data privacy, governance, device support and asset management, and from financial concerns such as reduced CAPEX but increased OPEX costs. Risk mitigation can be achieved through the
development and implementation of an enterprise-wide mobile device strategy. Such a strategy is essential to achieving business goals while reducing risk to
acceptable levels. To be effective a BYOD strategy must be well-defined.
In this report, examples are given of how controls and policies can be put in place with respect to data storage, remote wiping of devices, intellectual property
ownership, security and legal issues, and data in transit. With proper risk management policies in place,
enterprise risk can be reduced in line with the organisation’s risk appetite. The key outcomes of implementing strategy and applying the relevant policies, are risk mitigation and improved organisation security posture.
What is happening?
Changes in the Nature and
Volume of Data Usage
There are currently an estimated 7.7 billion mobile connections according to GSMA intelligence.1 Global mobile devices and connections in 2015 grew to 7.9 billion, up from 7.3 billion in 2014. Some of the key points of interest:2
· Global mobile data traffic grew 74% in 2015 year on year
· Mobile data traffic has grown by a multiple of 4,000 over the past 10 years and almost 400 over the past 15 years
· Fourth-generation (4G) traffic exceeded third-generation (3G) traffic for the first time in 2015.
· Mobile video traffic accounted for 55%of total mobile data traffic in 2015.
These statistics demonstrate a huge upsurge in mobile technology adoption, an inescapable global change.
Perception of Risk
The explosion in consumerisation has led to employees using their own mobile devices in the workplace to avail of business services. Mobile computing and bring your own device (BYOD) is creating huge innovation in the workplace.
However, with the increase in mobile device usage in organisations comes greater risk, and greater responsibility. More often than not, companies are not aware of these new risks and responsibilities. Where they are aware of them, organisations often see the increased responsibility and risk as a burden, resulting in a lack of proper security policies and governance planning.
This paper will provide insights into how to mitigate potential threats (staying safe) introduced by mobile computing in the workplace, security challenges faced by the organisation, and how proper security policies should be implemented and governed.
1 https://gsmaintelligence.com/ 2 http://www.cisco.com/c/en/us/solutions/collateral/service- provider/visual-networking-index-vni/mobile-white-paper-c11-520862.html
What will the Risk Impact be?
BYOD impacts the risk associated with the following responsibilities of the Chief Security Officer:
· Data
· Privacy
· Cost
· Infrastructure
The question has to be asked – Is there value to be gained from BYOD? The answer must be weighed against cost of implementing a risk mitigation policy. If it does not make sense then an outright ban must be imposed.
Risk to Data at Rest or in Transit
Organisations permitting BYOD in the workplace are potentially facing issues, caused by physical mobility, resulting in the following risks:
Risk Example
Data Theft Accessing unsecure wireless network
Data Leaks Tethering unauthorised device to corporate network
Data Breaches Loss or theft of device
Data Exposure and Privacy Issues
Malicious exposure via open communication channels or intentional or accidental sharing via social media
Data loss or theft as a result of being attached to an unsecure wireless network poses a serious threat to an organisation. Many wireless networks are inherently less secure than their wired counterparts; transmitting all data in clear text format, which can allow others on the network to ‘sniff’ sensitive information. Not only is employee privacy at risk (personal banking details, web email account passwords etc.), but so too is corporate data. Also, many portable devices have storage capabilities where corporate data can be put at risk when stored unencrypted.
Data leaks or unauthorised access to the corporate network may be gained by attaching or tethering an unauthorised device to a valid corporate authenticated device. This may result in unauthorised access to the corporate network.
Data breaches or unauthorised access of the corporate network or data theft can also occur after the loss or theft of a device. There have been several corporate breaches as a result of employees’ mobile devices being directly targeted for theft; resulting in the loss of sensitive corporate data or intellectual property34.
Risk Example
In Transit Using wireless networks
At Rest Storage on devices
Risks to Privacy of
Communication
Data issues and their risks may be realised should an organisation’s corporate data be exposed as a result of malicious intent, or accidentally via sharing through social media, webmail, cloud storage, instant messaging (e.g. WhatsApp), or other communication channels not being filtered by the employee’s organisation. The cause of these risks is the nature of open communication channels.
In addition to data theft or loss, mobile devices are a possible vector of a malware infection on the corporate network. All mobile devices can be used by hackers to pivot into the corporate network. Not only can this result in the loss of data, but can also allow attackers to further exploit vulnerabilities in place in the main corporate network, deepening the intrusion into your organisation.
3
Power R, ‘Corporate Espionage : Tomorrow Arrived Yesterday’ (Power, 2010)
<http://www.csoonline.com/article/2124884/employee-protection/corporate-espionage--tomorrow-arrived-yesterday.html>
4
‘Chinese Professors Among Six Defendants Charged with Economic Espionage and Theft of Trade Secrets for Benefit of People’s Republic of China | OPA | Department of Justice’
<https://www.justice.gov/opa/pr/chinese-professors-among-six-defendants-charged-economic-espionage-and-theft-trade-secrets>
Operational Risk to Infrastructure
– Systems and Software
Risk Example
Attack Vector Malware or Malicious App
Loss of Device Device Stolen or Misplaced
Operational and support resources are impacted, caused by the growth in, and diversity of infrastructure. The additional devices and variety can lead to a huge increase in demand for support from IT staff. If no uniform standards have been agreed, then technical support staff may lack the required skill and experience to provide adequate support to employees.
A lack of asset management for BYOD employee mobile units may result in a lack of knowledge as to what types of hardware and OS are accessing the corporate network. This can lead to unpatched and vulnerable software applications, exposing the enterprise to even more risk.
Cost
Capital expenditure (CAPEX) costs may decrease with increased BYOD adoption but operation expenditure (OPEX) costs may increase. While at first BYOD may seem beneficial, additional support, integration, governance and employee expense costs may cancel out the envisaged benefit. It all has to be managed effectively to achieve long term benefit.
Recommendations
· Strategy
· Governance & compliance
· Mobile device management (MDM)
Develop a Strategy
Developing an enterprise-wide mobile device strategy is essential. It should be iterative in nature with periodic
reviews, modifications and improvements made. Deming’s Plan-Do-Check-Act (PDCA) model is a good method for this5. The primary goal should be to improve the maturity level of the organisation’s security posture. Tools to support the strategy (include but are not limited to):
· Risk assessments – periodic and ongoing
· Policy – To include items covering the challenges, e.g. MDM
· Governance to support strategy and underlying policies
Included in this should be a clear policy on devices connecting to the organisation. All good policies are simple to understand, add value and are easy to maintain long term. To be adopted on a long term basis the policy must be business focused and easy to implement with technical support, otherwise employees will find ways to circumvent unsuitable aspects. Policies should focus on the following aspects:
· Data at rest and in transit must be encrypted and secured
· Information security risks are reduced and managed
· CAPEX and OPEX must be reduced
· Asset management must permit the easy distribution of software updates
· Flexibility for managing large amounts of devices
· Compliance and governance
Items such as intellectual property developed on BYOD devices and management of personal data (e.g. images) must be agreed and communicated. It is important while developing the strategy that proper risk management is implemented. A proper risk assessment should be conducted at the beginning of the strategy development and corresponding mitigations put in place to reduce the potential risks while maximising the advantages to the business.
The image below illustrates risk analysis from the ISO 31000 Risk Management framework.
5
The W Edwards Deming Institute, ‘THE PLAN, DO, STUDY, ACT (PDSA) CYCLE | The Deming Institute’
(Www.Deming.Org, 2015)
Allocate Resources and Train
Staff
Proper budgets and resources must be allocated to the corporate BYOD policy. Staff must be trained to support the additional number and variety of devices. Additional support staff may have to be hired in order to meet support requirements.
Policy - Policies on security incidents/breaches,
compliance, will have to be drawn up with staff assigned for maintaining governance.
Training - Implementing risk management controls
needs to be addressed, for example software licensing and user training (patch the humans).
Compliance and Governance
Devices attaching to the network should be kept up-to-date with the latest security patches. Unauthorised access to the corporate network must never be permitted, to prevent the introduction of malware or unauthorised release of sensitive data.
All BYOD implementations must adhere to corporate, legal and any regulatory (e.g. PCI DSS) standards. Proper monitoring and auditing of all standards and required compliance must be maintained and enforced. Governance staff may need to be assigned to ensure compliance. Full audit trails relating to data access and movement will need to be recorded.
Suggestion: Employees must sign and agree to formal
policies such as:
· Data access · Data privacy · Internet usage · Intellectual property · Data ownership · Cloud services
A financial company may be in breach of client contracts if sensitive data is being backed up via cloud services hosted in multiple countries. The data may be traversing certain countries that place the client in breach of financial regulations.
Order: Conduct vendor research and mandate permitted cloud providers prior to committing funds.
Summary
In this report the various issues facing BYOD were discussed, the main points are re-iterated below:
· Risks
· Impact
· Cost
· Infrastructure, data and privacy
· Strategy
Organisations permitting BYOD in the workplace face operational challenges such as information security, device support, asset management, and financial concerns such as increased operational costs.
Data issues, corporate network breaches, and malware insertion, are all serious risks. Organisations must be aware of enterprise risk and governance concerns associated with mobility technology in the workplace. To achieve business goals whilst reducing risk to acceptable levels, risk management and a mobile device strategy should be implemented. The CISO must enforce accountability for monitoring and auditing of all standards and required compliance.
Regular risk assessments and security reviews should be conducted with recommendations implemented from assessments and security audit findings.
Organisations with BYOD in the workplace should formally assess the benefits versus the increased risks associated with mobile device adoption. The
organisation must ensure that proper security policies, governance and risk management frameworks are implemented to protect security and prevent data loss once the business case is understood.
