Are all of your employees applying all security updates to all of their devices?

Transcription

1 Are all of your employees applying all security updates to all of their devices? If the answer is yes, read no further. If the answer is no, here s some food for thought!

2 Consumer behavior is reshaping corporate IT A new technology age has dawned commonly referred to as the consumerization of IT. Bring Your Own Device (BYOD) is the trend that is driving this evolution and it is moving like a speeding train through global corporate culture. In fact, 83% of businesses have entered the world of BYOD. (1) BYOD refers to the policy of allowing employees to use their preferred laptops, tablets and smartphones for both private and corporate use. Employees are therefore able to access a plethora of non-corporate applications and communicate via cloud-based personal accounts, social media networks and instant messaging; as well as connect to the corporate network. A study by Cisco concluded that By 2014, the average number of connected devices per knowledge worker will reach 3.3, up from an average of 2.8 in (2) With new technologies rapidly appearing within the consumer sphere and a growing cultural need for a work-life balance employees are now entering the workplace with expectations of using their own devices. Some are even willing to sidestep security requirements in order to do so. A global survey on the behavior of first generation BYOD users and the challenges for corporate IT systems revealed that: Private employee communication via social media networks and SMS are seeping into work day activities, with 35% and 47% of respondents respectively not being able to go a day without accessing these resources. More than 1-in-3 employees would contravene a company s security policy that forbids them to use their personal devices at work or for work purposes. - Fortinet 2012 (3)

3 Freedom versus Security While organizations are recognizing that BYOD is a necessity due to the benefits it brings in terms of employee flexibility, productivity levels, job satisfaction, staff retention and return on investment; there is a notable downside to such freedom. The danger is that with BYOD, employee-owned devices are largely unmanaged and the security state of them is obscured as IT teams have to relinquish some of their control to end-users who are not IT experts. The simple truth is that many organizations do not have the full picture of how much corporate data exists in the cloud and if it is appropriately safeguarded. This ultimately creates a huge security risk. The influx of computing devices, from laptops to smartphones and tablets, into the workplace might bring convenience and increased productivity to individual employees. However, this bring-your-owndevice (BYOD) trend also surfaces a range of security risks and challenges in terms of securing corporate networks and data, mobile device management, and having granular security policies. - ZDNet, 2013 (4) 14% of large organisations had a security or data breach in the last year relating to social networking sites. 9% of large organisations had a security or data breach in the last year involving smartphones or tablets. 4% 4% of the worst security breaches were due to portable media bypassing defences. of respondents had a security or data breach in the last year relating to one of their cloud computing services. Source: Information Security Breaches Survey PwC.

4 Bring Your Own Vulnerability All CISOs should be worried about the BYOD trend. In the last year alone, multi-sector companies ranging from government agencies and iconic brands to Internet start-ups and financial institutions were all impacted by data security breaches. (5) No organization or individual is immune to the risks, or the financial implications. Naturally, the financial cost of cybercrime will vary from sector to sector and according to company size. However, a sample study involving a cross-section of 56 U.S. organizations revealed some interesting insights: the average annualized cost of cybercrime for this sample group in 2012 was nearly $9 million a considerable amount by anyone s standards. (6) Thousands of new applications ( apps ) for smart devices are introduced to the market every day, with many unseen and unapproved apps systematically slipping through the net into forbidden corporate territory. The greatest rise in IT security risk is occurring across mobile devices and third-party applications The risks caused by mobile devices such as smart phones and removable media and vulnerabilities in third-party applications have gained significantly since Ponemon Institute, 2012 (7) Vulnerable software on endpoints is one of the most popular attack vectors with hackers. This is because the method of exploiting vulnerabilities creates the doorways into corporate networks and the valuable data stored within. Just one insecure app that is left undetected and unremediated has the potential to poison your entire IT infrastructure. For example, there have been cases of undetected apps streaming information to external servers for months before detection. Here are some facts: Unknown third-party access via mobile apps is identified as one of the top five threats faced by companies in the BYOD era. (4) According to Gartner, users regularly play games, check personal s and run Apple itunes or Windows Media Player on their work computers. (1) In 2012, 243 vulnerabilities were discovered in Apple itunes alone. (8) 739 vulnerabilities were discovered in the top five most popular browsers in 2012; an increase of 17% since (8) Cybercriminals are increasingly targeting mobile devices, such as the Android platform which represents 80% of the global smartphone OS market. (9) An industry report highlighted that corporate board members were particularly vulnerable to cyber-attacks because: 1. 75% stored sensitive information on personal mobile devices, 2. 79% stored sensitive information on home computers and 3. 73% sent documents from their personal addresses. (10) If apps are deployed in an unmanaged and fragmented way, they can cause serious consequences on both corporate and employee levels: Theft and exposure of confidential data Financial losses Extensive downtime Reduced productivity levels Identity fraud Hijacked corporate communication (E.g. Twitter, Facebook, etc.) Damage to brand image and reputation Do you have an overview of what apps your employees are downloading and how secure they are? What about the apps already installed on their devices?

5 Attack vectors: the endpoint perspective To address the issue of BYOD and security, you must firstly look at the threat that insecure endpoints (both private and corporate) pose to your organization s security. The combination of private users who do not update their software and the proportion of the workforce bringing their own device to work is a risk-filled dilemma to address. Security updates issued by software vendors (commonly referred to as patches ), remediate the root cause of vulnerabilities and thereby neutralize a large number of attack vectors. (11) However, the main barriers to patching are: The sheer complexity of the process. Inadequate Patch Management routines and resources. Updating software for security reasons is not considered a priority for private users. How to know what programs to patch. A snapshot of a typical private PC in the U.S., for example, paints a worrying picture. Secunia s Country Reports (12) analyzing the amount of insecure software present on private PCs in various countries show that: 52% of U.S. PC users who had Java 7 with known vulnerabilities installed, hadn t patched it even though a patch was available. 13.9% of U.S. users had an unpatched Operating System. 61% of U.S. users had Apple QuickTime 7 installed on their PC. 42 % hadn t patched it. The reality is that a device like this could be logging on to your corporate network right now. It s not the Microsoft programs you should worry about There is a general assumption that you only need to update Microsoft programs to stay secure. This is a myth and an extremely misguided approach. Why? Secunia s Vulnerability Review for 2013 (8) revealed that 86% of vulnerabilities in the top 50 most popular programs in 2012 affected non-microsoft programs. In addition to this, an average PC user (13) typically has 73% programs from 24 different vendors installed on their system: 26 (36%) of these are from Microsoft and the remaining 47 (64%) are non-microsoft programs. If only the Microsoft programs are patched, this leaves 47 unmonitored programs floating around on the system; programs that could be insecure. Non-Microsoft programs/apps are undoubtedly where the danger lies. Tackling these attack vectors is a major challenge for any user or IT team to address without the right knowledge and tools in place. However, this is just the PC perspective of BYOD. Another important element to address is mobile devices. Imposing security apps on employees mobile devices is a headache since the software requires constant updates and are easy to circumvent The user can simply uninstall the app if they dislike it. Worst of all, these apps impact device performance and degrade user experience by stretching the already limited processor and memory resources on the mobile device. -ZDNet, 2013 (4)

6 The foundation stone of your strategy Is BYOD a cloud-based cocktail or a recipe for disaster? Success or failure, positive or negative as always, it is down to approach and attitude. Without a BYOD policy, your organization must be prepared for a greater exposure to threats and attacks, despite the best efforts of your IT team. The interrelationship between the BYOD trend and vulnerable software on endpoints is unquestionable if this bond is broken, it can allow end-user behavior to determine your organization s security posture. In contrast to this; implementing and embracing a successful BYOD policy organization-wide enables your company to reap the benefits of the trend as well as successfully handle the associated IT challenges, mitigate the organizational risks and secure your business. Here are some reasons why endpoint security should form the foundation stone of your organization s BYOD strategy: A central component of Enterprise Mobility Management (EMM) the industry term for the process of managing BYOD challenges is the control of apps on endpoints: Application Management. (14) Ignoring apps is listed as Mistake #1 in Forbes article on developing a best practice BYOD strategy. (15) Vulnerability assessment is considered one of the most valuable approaches for meeting organizations IT risk mitigation requirements. (7) Through 2015, 80% of successful attacks will exploit well-known vulnerabilities and be detectable via security monitoring. - Gartner, 2012 (16) Although implementing a new BYOD strategy and solution within your existing IT systems management infrastructure could be a difficult task; embracing the challenge could actually be a good PR exercise for management and your IT team. IT will move beyond the perception of being mere gatekeepers to enablers instead the people who have their fingers on the pulse of technology. Consumerization of IT is clearly not going away, so enterprise IT managers cannot simply bury their heads in the sand. The challenge is to accommodate the work anywhere, anytime productivity and user satisfaction benefits that consumerization and BYOD can bring, while retaining enough control to keep company data secure and compliance requirements satisfied. - ZDNet, 2013 (14) To conclude; it comes down to the question: Is your BYOD glass half full, or half empty? If the answer is half empty, then your organization needs to swiftly look at ways to fill the glass with the right tools and resources to get up to speed. Otherwise, due to the rate of change in the corporate sphere and the intensifying threat landscape, there is a danger of becoming a relic of a bygone pre-byod era. BYOD To protect endpoints that are connected to the corporate IT infrastructure from the root cause of security issues: vulnerabilities in software, it is necessary to have visibility of the entire software portfolio at all times and be able to prioritize and patch the vulnerable programs. Vulnerability Intelligence and Patch Management tools are therefore critical elements for any best practice BYOD strategy and vulnerability remediation plan.

7 Notes 1. InfoWorld s Guide to a successful BYOD and mobile IT strategy. InfoWorld. February BYOD and Virtualization Top 10 Insights. Cisco: IBSG Horizons Study Global Survey Reveals First Generation BYOD Workers Pose Serious Security Challenges to Corporate IT Systems. Fortinet. June Five security risks of moving data in BYOD era. ZDNet. February Data Breach Investigations Report. Verizon Cost of Cyber Crime Study: United States. Ponemon Institute. October State of the Endpoint. Ponemon Institute. December Secunia Vulnerability Review Android Secures 80% Global Market Share. PC Magazine. August Special Report: Cybercrime. Accelus Thomson Reuters How to Secure a Moving Target with Limited Resources. Secunia Secunia Country Reports, USA. Q Secunia Country Reports: World. Available upon request. media@ 14. Consumerization, BYOD and MDM: What you need to know. ZDNet. February Developing a BYOD Strategy: The 5 Mistakes to Avoid. Forbes. March Adapting Vulnerability Management to Advanced Threats. Gartner. April 2012

8 Secunia can help Secunia offers corporate and private solutions for PC and mobile security. We can assist you with your BYOD questions and Vulnerability and Patch Management needs. CSI VIM PSI PSI Corporate Software Inspector Vulnerability Intelligence Manager Personal Software Inspector Personal Software Inspector for Android Further reading from Secunia How to Secure a Moving Target with Limited Resources. /products/corporate/csi/howtosecure2013/ Secunia Vulnerability Review /vulnerability-review Secunia Country Reports. /countryreports Educational institutions are treasure chests for cybercriminals. /resources/reports/education-sector-whitepaper For further information about Secunia s competencies, please contact sales@ Visit us at Stay Secure. facebook.com/secunia twitter.com/secunia gplus.to/secunia linkedin.com/company/secunia