How to Keep Your Company Safe
By: James Azar
You can’t stop progress and you also can’t stop the ever-expanding use of smartphones and other wireless devices.
Many companies are now taking the initiative to either incentivize or force their c-level management to bring their devices from home, or at least keep a company supplied cell phone. Upper Management are now confident using their cell phones at meetings and whilst traveling.
This has multiple implications for cyber security and Bring Your Own Device (BYOD) policies are needed. Policies that exist within the walls of your offices are simply harder to enforce in the outside world, yet we need our employees to be contactable out of hours, round the clock and on route.
This may leave you wondering how to develop a BYOD policy and how best to implement it. Read through our five key points and ask yourself, which apply to you.
1. Security Policy.
Believe it or not, most people fail to use multi-factor authentication on their phones and resist using complex passwords. This could be due to a variety of reasons, mostly because it’s simply easier access to their apps without having to go through security checks.
This may be true, but it isn’t a good enough reason. Any device connected to your company system is loaded with sensitive data which requires at least a few hurdles before penetration. Before using devices connected to your system, users must go through a MFA process and/or a complex password to reliably protect your software.
2. Decide what services BYOD device holders will receive
As a company you’ll have to decide the level of support available for initial connections being made to your network from devices owned outside of the company, will you financially provide maintenance for these phones, will you provide support for applications added onto them? If there is a problem with the cellphone will you provide a loaner whilst the phone is being fixed? Is your support limited to a "wipe and reconfigure" action?
These are questions that only you will be able to answer but will affect the level of security control you have.
3. Who owns what?
Your company owns the data stored on servers, even if your employees’ access with their personally bought devices, right? Maybe not or at least, it isn’t so simple, especially when you may want to wipe that data in the event of a cyber intrusion.
If the phone is storing photos, videos, apps and other personal effects of your employees, you do not reserve the right to erase these as you have not paid for them. If you have a BYOD policy is it crystal clear that you reserve the right to wipe data that has been covered by your plan?
4. Take App decisions
For anything that is connected to your environment, decisions will need to be taken for social media browsing, VPNs and any other software that is remote access run. Be clear on whether users can download an application that presents security risks, which is basically all applications to some extent, and where you are willing to take those risks.
Each and every application would need to be thoroughly verified for its security flaws and weaknesses. Moreover, the legal implications of your users downloading questionable or illegal apps will have to be countered without invading the privacy of said employees.
5. Time to say goodbye
When employees leave the firm, devices will have to be check and access tokens removed, including email access, data and any other company information. You will have to be clear in your policies whether you plan to wipe the BYOD device as a mandatory off-boarding procedure.
Are you a security professional, enthusiast, or hobbyist? The CyberHub Engage Podcast publishes content daily so you can keep up with news, trends, and CISO interviews.