A business must be agile in order to succeed, making use of all possible strategies to increase their bottom line. One strategy in information technology that has become popular in recent years is encouraging employees to bring their own devices to work, commonly referred to as BYOD. This approach makes sense, as the more devices owned and used by employees on a daily basis results in reduced costs for purchasing and provisioning devices by the company itself. The costs in time and money for employee technology training are also subsequently reduced, as an employee would already know how to use their device if they bring it to work on a daily basis.
Reduced cost, increased familiarity and boosted employee morale are advantages that can convince most companies to support this stratagem. However, this can leave a company open to a multitude of information security threats unless the BYOD policy takes steps to protect against unauthorized releases of proprietary information. Without a security policy in place, an employee’s device could become compromised, allowing a malicious attacker to use privileged information for their own purposes. Alternatively, a disgruntled employee could also transmit information to competitors, an eventuality that businesses would want to prevent.
These security threats do not preclude the use of a BYOD policy, nor do they take away the lucrative advantages of BYOD. Instead, these issues encourage foresight before implementing a BYOD policy that takes these issues seriously. While you can make use of security features already common in corporate network infrastructures, you can also use Mobile Device Management application suites that protect confidential data while still allowing an employee to enjoy their own device.
Define a mailbox security policy
Due to the amount of information exchanged via email within a company, configuring a mailbox policy in your Mobile Device Management solution is critical to protect important information. Using your company’s existing email infrastructure through suites like Microsoft Exchange or Office 365, you can limit email retention and attachment sizes. By limiting the retention of email on a device, management can make passage of time to work to their advantage. If a device without a retention policy was accessed by a malicious user, potentially years of emails can be exposed. However, if the malicious user accessed a device with a short retention policy, they would only have access to only the most recent exchanges, as any threads that are old enough are automatically deleted.
Ensuring that only small attachments are permitted will help to prevent wholesale disclosure of privileged corporate data. For example, if a malicious user tried to email a large archive file, perhaps over 10 MB in size, any attempt to send the file would fail and alert IT staff.
It is also common sense to require a password to access both the email account and the device, and enforce encryption on device storage. This will help to foil attacks by disgruntled employees and malicious users while protecting employees and the company’s private information.
Control access through authentication
When using a BYOD policy, creating layers in Network Defense provides an increased ability to protect information assets. Corporate networks are regulated and using ACLs, which define what users, protocols, applications or specific devices have access to specific parts of the network. For instance, certain departments would only have access to specific file servers, printers or databases. This limits the amount of information that a malicious user could access, even if they had access to a device. Depending on the company, these ACLs also prevent users from reaching file-sharing websites, personal email or any other activity that would be potentially harmful to a company’s proprietary information.
If a device was found to be compromised or otherwise unwelcome in a corporate environment, the device can be cut off from the network by having its MAC address added to a blacklist or having the username associated with the device disabled. Planning and creating a VLAN for BYOD devices will help maintain control. By putting all BYOD devices on their own VLAN, it separates them from network resources that management would not want them to access.
Use appropriate network layers to authenticate devices
Layers in Network Defense are critical, and the presence of different types of devices under a BYOD policy add an additional layer in that they require a wireless network. Most employee devices that fall within a BYOD policy are wireless, especially smart phones and tablets. These devices can be integrated into an enterprise wireless network, but they must be trusted before accessing resources. One way to ensure trust is to enforce a tight network access and security policy by having each user authenticate themselves to the domain controller. If a company makes use of a PKI infrastructure, take it a step further by having clients authenticate themselves when using devices under the BYOD policy.
Ensure that BYOD devices play by the rules of the network
Even though the employee may own the device, they are still making use of a corporate network, and they must follow the rules. While network security devices are often already in use before a BYOD policy is implemented, it helps to be sure that BYOD devices are especially scrutinized. One way to make this happen is by directing all traffic to and from BYOD devices through a firewall as well as an IPS or IDS. By implementing this approach, certain file types, web sites, protocols or anything that the company frowns upon can be blocked from the get-go. This especially proves useful if a BYOD device is infected by malware, since some network security devices use signatures that allow them to recognize and block malicious programs before they can cause harm.
Conclusion
Employee devices that are introduced into a workplace do not have to be a threat to existing infrastructure and proprietary information. By making use of a well thought out BYOD policy, a company can obtain several advantages, both from the perspective of cost but also through employee morale. A company that makes use of a BYOD policy will reduce the cost of purchasing and provisioning equipment, as the cost is handled by the employee. The fact that the employee owns the device and is already familiar with it reduces training costs and increases productivity. When proper steps are taken to protect the company’s private information under the BYOD policy, employee devices and the corporate network can work together to produce profit for the company.
Thiruvadinathan is a former Happiest Mind and this content was created and published during his tenure.
