How to prevent a BYOD data breach

When your data is compromised, can you 'go nuclear' on your staff's BYOD hardware?
28 December 2018

Have you considered the security implications of your BYOD policy? Source: Shutterstock

The always-on, 24/7 business culture that now predominates around the globe has its upsides for business.

Because of technology, hardware systems’ uptime can be reflected by employees’ work patterns. But this ability to work anywhere at any time goes a great deal deeper than the ability to read emails during a commute. There are significant consequences for the enterprise on the flip side, too.

The cell phones we all carry today are misnamed: “very powerful portable computers that happen to make phone calls” would be a better description, and the situation means that many business applications are accessed via the small, portable device most of us own.

Everything now is optimized for mobile – apps, websites, databases, services – as we turn increasingly to the devices in our pocket to act as the first choice for a conduit to the connected world.

The two flies in the ointment for businesses are the intermingling of personal and business data thanks to BYOD (bring your own device), and the resulting security implications with regards to the exposure of organization’s private, and often sensitive data.

Cybersecurity companies are tuning their products to focus on end users as the primary source of data breaches in today’s business environment. User education and protection are expanding opportunities for security companies, as perimeter defenses (while still relevant) cannot hope to surmount problems caused by simple human error.

So, if your staff is accessing private information on personal devices, what rights do you have as an employer to protect your business’s data?

By default, most applications and services are accessed via authentication methods that are device-agnostic. In short, if you release a set of log-in credentials for a shared resource in the enterprise, it’s usual for an individual to be able to log in using a phone, tablet, laptop, thin terminal – whatever tends to be handy. Limiting access by MAC address verification (for example) is often considered inconvenient by users, and isn’t entirely secure in any case.

Of the devices used to access networked services, at least one will, in all likelihood, be owned by the employee. When mobile working became a daily reality for many companies, some issued their own devices, but carrying two phones, two tablets or even two laptops was regarded as an inconvenience by staff.

If a company is to protect data adequately, it needs to ensure that endpoint protection systems are installed, to monitor access, and in extremis, to wipe all data remotely, on every device that has access.

Clearly, this is difficult to do overnight, especially after several years’ unfettered BYOD-based access to an organization’s data. So, alongside the clauses concerning acceptable network use policies signed by onboarding staff, there needs to be a legally-binding agreement that states that the employer can manage any mobile device – up to and including a total wipe of the device. This step would, of course, destroy the user’s personal data.

A recent court case, while landing in favor of the employer, has not set a safe precedent that makes the employer’s position watertight. Therefore, there is a need for a policy that’s clearly stipulated and understood by all parties. Endpoint management systems usually have the option of remote data wipes for BYOD hardware: the challenge for businesses is ensuring the legality of its fullest use.

There are solutions on the market that will attempt to silo the business’s applications discretely from the device owner’s apps and data on a mobile device. But due to various manufacturers’ limitations, these options are not turnkey solutions.

If the greatest threat to cybersecurity comes from simple mistakes and human misadventure, letting the same people loose outside the workplace with access to sensitive data is a recipe for disaster. If a company wants the advantages of a mobile, always-connected workforce, but none (or at least fewer) of the security issues, what’s to be done?

Without endorsing one product over any other, here’s TechHQ‘s guide to steps that can be taken to help shore up this potential security breach:

# 1 | Use the business, not personal variants of services

Ensure your company uses the ‘Business’ tier of any service that’s in everyday use. Staff are highly unlikely to be signed up to the same service in the same way. Therefore, it’s less likely that sensitive information gets saved (for instance) into a user’s personal Dropbox account than the employer’s Dropbox for Business account.

# 2 | Pay for your services

In the event of you needing your cloud service provider’s help to shut down access for compromised accounts or users, they are more likely to respond promptly if you are a paying customer. Free account tier customers hold little weight and are prioritized accordingly when problems occur.

# 3 | Install endpoint protection

While the legal grey area of BYOD hardware installs needs to be carefully negotiated, it should be a given that devices that are issued by the business are entirely manageable remotely. Laptops, desktops, second machines loaned for home office use– all need to be secured and managed by a centralized solution.

# 4 | Create BYOD agreements for on-boarders

After your policy on BYOD has been determined it needs to be ensconced in your onboarding systems for new staff, contractors, ad-hoc & temporary staff.

It may be difficult to introduce these policies to existing team members retrospectively– but gradually, agreements need to become widespread until that small print covers every device accessing company data.

# 5 | Shift your cybersecurity stance

Hackers are seeing networks less, and people more, but it’s the mindset of security teams to protect the network. While perimeter protection remains very important, the focus needs to reflect hackers’ most productive conduit – the people who work in an organization.

# 6 | Train & educate

From simple lessons in online hygiene to more in-depth and on-going education plans that inform staff about cybersecurity threats, education of employees is vital. The more your teams know about possible dangers and potentially compromising behavior, the better. Education investment will create a significant ROI – people aware of risk rely less on (expensive) protection methods.

As in all issues cybersecurity, the skill is in a balancing act between empowering the workforce and screwing down systems so they’re impregnable– and unworkable. Technology platforms can help, but the responsibility falls to employers to ensure employees adopt good practice, whatever the platform.