How To Offset Your Customers' BYOD Risks10:42 AM EST Tue. Dec. 11, 2012
Whether or not bring your own device (BYOD) policies save companies money or cost them more is still being debated, but one thing is certain: These policies increase complexity while decreasing direct control over data.
Few employees are walking into a Sensitive Compartmented Information Facility (SCIF) each morning, where their devices are confiscated for the day. Pandora's box has been opened; mobile devices are freely roaming your customers' halls. Our objective is to help you instill the hope that an effective containment and management strategy can be implemented. Following are five recommendations for solution providers who need to help organizations quickly assert control in a BYOD world to more effectively manage technical and human risk factors.
Firm Up BYOD Policies
Review your clients' BYOD policies and ensure they include provisions for remote wipe and remote application management capabilities, the right to confiscate and search devices, and the right to dictate which applications are allowed and prohibited. These policies should be cleared through the legal team to make sure that language is adequate, and that it will work in all applicable jurisdictions. For example, IBM earlier this year banned access to Apple's Siri application, as well as access to Dropbox, for company-managed devices. It is important that BYOD policies allow such rules to be implemented and enforced.
In addition to helping customers write strong policies, it is also important to ensure there is a mechanism for resolving disputes, such as those related to privacy concerns. Users will be understandably concerned if their private devices are seized. Providing a method to secure copies of personal information, as well as a way to protect other pieces of private information (e.g., nonwork text messages, email and instant message logs) will go a long way toward easing those concerns.
Similarly, it is important to make it clear to users any legal obligations businesses have when reviewing these devices, such as in the case of uncovering potentially illegal materials. Don't forget to include provisions for unmanaged devices too. Just because a user does not wish to participate in the officially sanctioned BYOD program does not mean that their device is innocuous. On the contrary, unmanaged devices represent a blind spot that may represent even greater risk to businesses than those people willingly agreeing to follow the rules.
Apply Technical Controls
It is important to build on strong policies by implementing technical controls, such as mobile device management (MDM) and mobile application management (MAM) solutions. Where possible, enforcing device encryption and passwords will help reduce associated technical risks. Improving access management requirements, such as by mandating two-step or two-factor authentication, can further help reduce the risk of a lost device immediately leading to a data breach.
NEXT: Limiting Use And Holding Accountability
Limit Approved Applications And Uses
Reminiscent of "acceptable use" policies of yore, BYOD policies should include explicit guidance on acceptable behavior and uses. Application whitelists and blacklists should be leveraged to back up these explicit instructions. Fortunately, many cloud applications have evolved to include enterprise versions that afford better control over devices and data. For example, most major cloud-based, file-sharing services now provide enterprise versions that allow better direct management and segregation of corporate data, as well as supporting reasonable secure collaboration.
From a legal perspective, be sure to review all licenses for cloud-based applications to ensure that data is handled responsibly in those environments. Review of these agreements should follow the same review and approval process that would be normally used when considering outsourcing partnerships. Providers can help businesses make quicker, better-informed decisions by clearly stating standard practices up front, rather than playing games using obscure legal language and obtuse SLA descriptions.
Implement Next-Generation ET&A
The technical landscape is changing very rapidly. It is unreasonable to think that simple annual security awareness training is remotely useful for addressing concerns like those inherent in BYOD policy implementation. The good news is that you can help your customers develop modern education, training and awareness (ET&A) programs to provide users a more meaningful perspective on the rules, and effectively remind them of their obligations and the cost of noncompliance.
Modern ET&A programs should:
1) Clearly state the expected level of performance.
2) Clearly state the rationale for the requirement.
3) Clearly state the cost of noncompliance.
These programs should then integrate assertive, proactive components that include simulated attacks against users (e.g., phishing awareness training) and random review of devices to evaluate compliance with policies. These programs must walk a fine line between being respectful and being inappropriately intimidating. The desired outcome is to explain to users what is required of them, why those requirements have been levied (e.g., include a clearly expressed business risk analysis) and what sort of consequences can result from noncompliance, both for the business as well as for themselves. It is typically undesirable to instill a culture of fear among the user population, but it is wholly appropriate to make people aware of the risks and consequences. Human risk factors represent one of the most challenging areas for risk management programs to control. An effective risk management program must find ways to address human risk factors as well as technical concerns.
Hold Users Accountable
It is imperative to establish a culture of accountability as part of an effective risk management program. BYOD policies provide a front-line opportunity to implement and enforce accountability requirements. Policy violations must be documented, and remediation must occur -- even if that means having to terminate personnel. All the technical controls in the world do no good if a user can walk into an environment, copy sensitive data to their device, walk out and cause a data breach. Include representatives from HR and Legal to ensure that BYOD policies have teeth. Otherwise, your customer's environment will be at the whim of their weakest -- or most malicious -- links.
It has quickly become irrelevant whether or not personally owned devices will be inside corporate environments. As such, the next best step is to work assertively to manage the technical and human risks endemic to these new threat vectors. A combination of stringent policies, assertive technical controls and proactive management of human risk will help control liability while allowing organizations to optimize integration of BYOD policies as part of standard business practice.
Chris Caldwell is CEO at LockPath.