Mitigating Bring Your Own Device (BYOD) Risk for Organisations

Transcription

1 Mitigating Bring Your Own Device (BYOD) Risk for Organisations Harness the benefits and mitigate the risks of BYOD espiongroup.com

2 Executive Summary Mobile devices such as smart phones, tablets, or laptops enable employees to harness consumer technology with greater benefit in the workplace. Employees are increasingly presenting business cases in favour of BYOD that add value to the business. This document aids readers in understanding and mitigating the security challenges, enterprise risks and data concerns associated with employees using personal devices for work related endeavours. Risks addressed include unauthorised access to the corporate network, data loss, data leaks, data breaches, data privacy issues, and data exposure via social media (intentional or unintentional). Organisations permitting BYOD in the workplace face serious challenges from a range of perspectives including; enterprise risk, information security, data privacy, governance, device support and asset management, and from financial concerns such as reduced CAPEX but increased OPEX costs. Risk mitigation can be achieved through the development and implementation of an enterprise-wide mobile device strategy. Such a strategy is essential to achieving business goals while reducing risk to acceptable levels. To be effective a BYOD strategy must be well-defined. In this report, examples are given of how controls and policies can be put in place with respect to data storage, remote wiping of devices, intellectual property ownership, security and legal issues, and data in transit. With proper risk management policies in place, enterprise risk can be reduced in line with the organisation s risk appetite. The key outcomes of implementing strategy and applying the relevant policies, are risk mitigation and improved organisation security posture. What is happening? Changes in the Nature and Volume of Data Usage There are currently an estimated 7.7 billion mobile connections according to GSMA intelligence. 1 Global mobile devices and connections in 2015 grew to 7.9 billion, up from 7.3 billion in Some of the key points of interest: 2 Global mobile data traffic grew 74% in 2015 year on year Mobile data traffic has grown by a multiple of 4,000 over the past 10 years and almost 400 over the past 15 years Fourth-generation (4G) traffic exceeded thirdgeneration (3G) traffic for the first time in Mobile video traffic accounted for 55%of total mobile data traffic in These statistics demonstrate a huge upsurge in mobile technology adoption, an inescapable global change. Perception of Risk The explosion in consumerisation has led to employees using their own mobile devices in the workplace to avail of business services. Mobile computing and bring your own device (BYOD) is creating huge innovation in the workplace. However, with the increase in mobile device usage in organisations comes greater risk, and greater responsibility. More often than not, companies are not aware of these new risks and responsibilities. Where they are aware of them, organisations often see the increased responsibility and risk as a burden, resulting in a lack of proper security policies and governance planning. This paper will provide insights into how to mitigate potential threats (staying safe) introduced by mobile computing in the workplace, security challenges faced by the organisation, and how proper security policies should be implemented and governed provider/visual-networking-index-vni/mobile-white-paper-c html Page 2

3 What will the Risk Impact be? BYOD impacts the risk associated with the following responsibilities of the Chief Security Officer: Data Privacy Cost Infrastructure The question has to be asked Is there value to be gained from BYOD? The answer must be weighed against cost of implementing a risk mitigation policy. If it does not make sense then an outright ban must be imposed. Data leaks or unauthorised access to the corporate network may be gained by attaching or tethering an unauthorised device to a valid corporate authenticated device. This may result in unauthorised access to the corporate network. Data breaches or unauthorised access of the corporate network or data theft can also occur after the loss or theft of a device. There have been several corporate breaches as a result of employees mobile devices being directly targeted for theft; resulting in the loss of sensitive corporate data or intellectual property 34. Risk to Data at Rest or in Transit Organisations permitting BYOD in the workplace are potentially facing issues, caused by physical mobility, resulting in the following risks: Risk In Transit At Rest Example Using wireless networks Storage on devices Risk Example Data Theft Data Leaks Data Breaches Data Exposure and Privacy Issues Accessing unsecure wireless network Tethering unauthorised device to corporate network Loss or theft of device Malicious exposure via open communication channels or intentional or accidental sharing via social media Data loss or theft as a result of being attached to an unsecure wireless network poses a serious threat to an organisation. Many wireless networks are inherently less secure than their wired counterparts; transmitting all data in clear text format, which can allow others on the network to sniff sensitive information. Not only is employee privacy at risk (personal banking details, web account passwords etc.), but so too is corporate data. Also, many portable devices have storage capabilities where corporate data can be put at risk when stored unencrypted. Risks to Privacy of Communication Data issues and their risks may be realised should an organisation s corporate data be exposed as a result of malicious intent, or accidentally via sharing through social media, webmail, cloud storage, instant messaging (e.g. WhatsApp), or other communication channels not being filtered by the employee s organisation. The cause of these risks is the nature of open communication channels. In addition to data theft or loss, mobile devices are a possible vector of a malware infection on the corporate network. All mobile devices can be used by hackers to pivot into the corporate network. Not only can this result in the loss of data, but can also allow attackers to further exploit vulnerabilities in place in the main corporate network, deepening the intrusion into your organisation. 3 Power R, Corporate Espionage : Tomorrow Arrived Yesterday (Power, 2010) < 4 Chinese Professors Among Six Defendants Charged with Economic Espionage and Theft of Trade Secrets for Benefit of People s Republic of China OPA Department of Justice < Page 3

4 Operational Risk to Infrastructure Systems and Software Risk Attack Vector Loss of Device Example Malware or Malicious App Device Stolen or Misplaced Operational and support resources are impacted, caused by the growth in, and diversity of infrastructure. The additional devices and variety can lead to a huge increase in demand for support from IT staff. If no uniform standards have been agreed, then technical support staff may lack the required skill and experience to provide adequate support to employees. A lack of asset management for BYOD employee mobile units may result in a lack of knowledge as to what types of hardware and OS are accessing the corporate network. This can lead to unpatched and vulnerable software applications, exposing the enterprise to even more risk. Cost Capital expenditure (CAPEX) costs may decrease with increased BYOD adoption but operation expenditure (OPEX) costs may increase. While at first BYOD may seem beneficial, additional support, integration, governance and employee expense costs may cancel out the envisaged benefit. It all has to be managed effectively to achieve long term benefit. Recommendations reviews, modifications and improvements made. Deming s Plan-Do-Check-Act (PDCA) model is a good method for this 5. The primary goal should be to improve the maturity level of the organisation s security posture. Tools to support the strategy (include but are not limited to): Risk assessments periodic and ongoing Policy To include items covering the challenges, e.g. MDM Governance to support strategy and underlying policies Included in this should be a clear policy on devices connecting to the organisation. All good policies are simple to understand, add value and are easy to maintain long term. To be adopted on a long term basis the policy must be business focused and easy to implement with technical support, otherwise employees will find ways to circumvent unsuitable aspects. Policies should focus on the following aspects: Data at rest and in transit must be encrypted and secured Information security risks are reduced and managed CAPEX and OPEX must be reduced Asset management must permit the easy distribution of software updates Flexibility for managing large amounts of devices Compliance and governance Items such as intellectual property developed on BYOD devices and management of personal data (e.g. images) must be agreed and communicated. It is important while developing the strategy that proper risk management is implemented. A proper risk assessment should be conducted at the beginning of the strategy development and corresponding mitigations put in place to reduce the potential risks while maximising the advantages to the business. The image below illustrates risk analysis from the ISO Risk Management framework. Strategy Governance & compliance Mobile device management (MDM) Develop a Strategy Developing an enterprise-wide mobile device strategy is essential. It should be iterative in nature with periodic 5 The W Edwards Deming Institute, THE PLAN, DO, STUDY, ACT (PDSA) CYCLE The Deming Institute ( 2015) < Page 4

5 Figure 1: ISO31000 Risk Analysis Allocate Resources and Train Staff Proper budgets and resources must be allocated to the corporate BYOD policy. Staff must be trained to support the additional number and variety of devices. Additional support staff may have to be hired in order to meet support requirements. Training - Implementing risk management controls needs to be addressed, for example software licensing and user training (patch the humans). Policy - Policies on security incidents/breaches, compliance, will have to be drawn up with staff assigned for maintaining governance. Page 5

6 Compliance and Governance Devices attaching to the network should be kept up-todate with the latest security patches. Unauthorised access to the corporate network must never be permitted, to prevent the introduction of malware or unauthorised release of sensitive data. All BYOD implementations must adhere to corporate, legal and any regulatory (e.g. PCI DSS) standards. Proper monitoring and auditing of all standards and required compliance must be maintained and enforced. Governance staff may need to be assigned to ensure compliance. Full audit trails relating to data access and movement will need to be recorded. Suggestion: Employees must sign and agree to formal policies such as: Data access Data privacy Internet usage Intellectual property Data ownership Cloud services A financial company may be in breach of client contracts if sensitive data is being backed up via cloud services hosted in multiple countries. The data may be traversing certain countries that place the client in breach of financial regulations. Order: Conduct vendor research and mandate permitted cloud providers prior to committing funds. Summary In this report the various issues facing BYOD were discussed, the main points are re-iterated below: Risks Impact Cost Infrastructure, data and privacy Strategy Organisations permitting BYOD in the workplace face operational challenges such as information security, device support, asset management, and financial concerns such as increased operational costs. Data issues, corporate network breaches, and malware insertion, are all serious risks. Organisations must be aware of enterprise risk and governance concerns associated with mobility technology in the workplace. To achieve business goals whilst reducing risk to acceptable levels, risk management and a mobile device strategy should be implemented. The CISO must enforce accountability for monitoring and auditing of all standards and required compliance. Regular risk assessments and security reviews should be conducted with recommendations implemented from assessments and security audit findings. Organisations with BYOD in the workplace should formally assess the benefits versus the increased risks associated with mobile device adoption. The organisation must ensure that proper security policies, governance and risk management frameworks are implemented to protect security and prevent data loss once the business case is understood. Page 6