Jay Cawley PSU ID#: JSC5286. Erasmo Vargas Jr PSU ID#: EMV5125. Sean Bowers PSU ID#: SVB5441

Transcription

1 Team 3 - The Titans Jay Cawley PSU ID#: JSC5286 Erasmo Vargas Jr PSU ID#: EMV5125 Sean Bowers PSU ID#: SVB5441

2 Bring Your Own Device (BYOD) What are good security policies for enterprises allowing BYOD to implement? The perceived cost savings to employers ensures future growth of BYOD, while the cost of data breaches is made more expensive through BYOD use. The risks posed by users, malware, and malicious attacks will pose new challenges for users and IT departments alike. Both groups will need to be cognizant of the security environment.

3 The Changing Workforce Younger workers are increasingly likely to use personal devices at work.

4 Cost of Employee Mobility The average company employs around 738 employees - each having 1.54 mobile devices. Average monthly cost is $ per month, which is $1, per year that it cost to have a mobile employee. The cost is shifted to the employee with BYOD (Upgrades, replace lost device, and accessories) Source: CIO

5 BYOD Breach Cost The US experience a total average cost of data breach at more than $5.4 million dollars in The average cost per record is $194.00, and the average size of breaches for organizations in the US is 28,765 records. Data breach cost include: a. Detection & Escalation Cost (includes forensic & investigation, assessment & audit services, crisis team management, and communications to executive management & board of directors) average cost of $395,262. b. Notification Cost (determination of regulatory requirements, engagement of outside experts) average cost of $ c. Post Data Breach Cost (help desk activities, inbound communications, legal expenditures, product discounts, identity protection services & regulatory interventions) average cost of $1,406,548 d. Lost business Cost (Abnormal turnover of customers, increased customer acquisition, reputation losses and diminished goodwill) average of cost of $3,030,814 Chart Source: Ponemon Institute Source:

6 InfoSec and BYOD BYOD represents a new and growing challenge for the IT professional to secure enterprise data.

7 BYOD Risk Common Vulnerabilities in desktops are now seen in mobile devices. Android malware has increased 400% in Many apps have flaws which can transfer sensitive or unencrypted data. Mobile devices provide many entry points to hackers through communications (sms, , phone, and video & photo), location information, voice recordings, documents, and credentials. Three favorite hacker attacks vectors are insufficient cache controls, replay attacks, and code injections. Source: Trustwave Holdings, Inc.

8 BYOD Concerns According to backgroundcheck.org $7 million worth of phones are lost every day around the globe. ⅔ of phone losses happen between 9pm and 2am (Random fact: 4 phones are lost in Niagara Falls every day). Lost or stolen phones are the biggest security concern and loss of company data. Careless employees are also a concern to BYOD, which include: outdated operating systems, logging onto unsecured wireless networks, failing to password protect device or perpetually logged into their applications, and allow others to borrow devices or change of ownership. The increase of mobile application and device storage makes it possible for employee s to carry larger, more complex and sensitive data in their pocket. With so many users failing to use a password to gain access to their phone, personal contacts, , social-media accounts, and other sensitive data - valuable information is a few clicks away. Graphic Source: King (2014)

9 BYOD Security Solutions

10 Suggestions for BYOD Users Device ownership is shifted from the traditional enterprise to users in the BYOD model. Consequently, device security is commensurately shifted to users. Veracode makes the recommendations shown to better secure mobile devices that connect to sensitive company data. Source: DuPaul (2012)

11 Suggestions for BYOD Users Additional recommendations Users will be required to take a more active role in device security. IT departments can encourage and reinforce this behavior through policy tools: Waivers Training Source: DuPaul (2012)

12 Suggestions for IT Departments Huawei suggests a separation of corporate and personal data. Corporate data can be encrypted Personal applications cannot access corporate apps Corporate data can be wiped without loss of personal data Source: Huawei Technologies Co., Ltd.

13 Ethical / Legal Considerations Suppose an IT department needs to work on an employee s personal device, and finds illegal material. Some of the ethical and legal considerations that should be weighed as part of a comprehensive security policy (the answers to which may vary by jurisdiction): Does the IT team have the right to search personal information? Does the team have an obligation to call law enforcement? Would this finding be admissible in court? Was the employee's privacy rights violated? Was the BYOD policy enough to cover such a search? Suppose it is discovered that the employee was working on something contrary to company policy, can the company remotely wipe the device? Can the company wipe personal information? Source: Rose (2013)

14 References DuPaul, N. (2012, October 10). Why you should care about mobile security infographic. Veracode. Retrieved from Huawei Technologies Co., Ltd. (2012). Huawei BYOD Security Solution. Retrieved from Kaneshige, T. (2013, August 8). A visual guide to identifying the hidden costs of BYOD. CIO. Retrieved from King, S. (2014, January 9). BYOD and risk sandwich. Netswitch Technology Management. Retrieved from: Lee, A. (2012). $7million worth of smartphones are lost everyday. Techno Buffalo [web log]. Retrieved April, 2012, from Ponemon Institute (2013, May 28) cost of data breach: Global analysis. Retrieved from Rose, C. (2013). BYOD: An examination of bring your own device in business. The Review of Business Information Systems (Online), 17(2), 65. Retrieved from docview/ ?accountid=13158 Trustwave Holdings, Inc. (2014). The high cost of BYOD [Infographic]. Retrieved from: