How to create a BYOD policy that keeps your business data secure

Bring your own device (BYOD) policies are commonplace in many organizations today. Employees bring in their personal cell phones, laptops, tablets and other mobile devices and use them to content to corporate networks. Additionally, employees regularly use personal computers and other devices not owned by the organization to work at home or on the road.

Unfortunately, BYOD can be risky for organizations that do not implement adequate security controls.  Personal devices that aren’t properly managed by the company often have inconsistent security controls implemented on them. For example, one device may lock out after three minutes of idle activity and require a complex password, while another may not even require a password to log on. However, both devices may be used to access sensitive or critical business data. For organizations that lack strong and consistent security controls, BYOD can easily turn into a security nightmare. Here’s a quick list of steps you can take to create a BYOD policy that will protect your business data:

  1. Establishing a policy that governs how BYOD devices can connect to and use organizational systems, how they should be backed up, and which security settings should be in place.
  2. Configure devices to connect to network resources over a transparent virtual private network.
  3. Gain greater control over mobile devices with a Mobile Device Management (MDM) solution. MDM solutions allow for more consistent security settings to be applied to devices. For example, applications can be whitelisted or blacklisted, BYOD devices can be geofenced, and jailbroken phones can be banned from connecting to networks or data stores.

BYOD and the ransomware threat
A large percentage of BYOD devices are mobile phones or tablets that are susceptible to some forms of ransomware. Mobile ransomware viruses often masquerade as enticing applications such as POGO Tear, which pretends to be a Pokemon Go application; Android defender, a bogus antivirus app; Charger, a fake battery management app; Lockdroid, a counterfeit Google Android update package; and Lockscreen, a deceptive Android lock screen app. Some mobile devices have been found to have malware pre-installed on them. The owners of those devices did not need to download a fake app. They were infected the moment they powered up the new device.

The good news is that mobile data is often easy to restore if appropriate backups have been taken of the phone or tablet. The bad news is that an infection may not be limited to your device. Worms may propagate through mobile email clients to your contacts. Additionally, some malware may infect a mobile device and then be transmitted to a computer when the device is connected for charging or data exchange.

Protect yourself by keeping your mobile operating systems and apps up to date. Consider a mobile firewall, mobile antivirus solution, and make sure you back up your device. Other BYOD devices such as laptops should be equipped with endpoint protection software, secure and up-to-date operating systems, and they should be backed up regularly.

Continue reading

iPad in the Enterprise: What is the Risk?

“Thinner. Lighter. Faster. Facetime. ” That is the catchphrase from the Apple page dedicated to the iPad. While Apple is known for its pithy titles for their amazing products, there is one thing that is oft ignored, but always important, and that is security. More and more people are adopting the iPad and some are using it to access business data but how can they do that securely? This article outlines the risk of using the iPad in the enterprise and some dos and don’ts for iPad security.

Consider this office scenario surrounding the iPad. The iPad 2 is just released and an executive is interested in one. Soon, with the help of a few tech-savvy people in the office, he is connecting to the corporate network and accessing company data and systems. The thought of security never entered his mind. What can be done to protect this company from data loss?

While an iPad may provide a bump in productivity it also provides another portal for hackers and thieves. The problems range from a lack of uniformity in software to protect from hacking to general nonchalant behavior among employees about the protection of their iPads.

One of the major pitfalls of the iPad is the relative dearth of protective apps in Apple’s otherwise immense app store. Also, those apps that are available for protecting an iPad are not uniform. Apple does scrutinize apps that appear in the app store, but their net is not without holes, and an app that has malicious intent may slip through the cracks.

Even if there was uniformity within applications concerning security, there is not uniformity between users. Much of this has to do with the perception of the device. If users were to treat their iPads less like a magazine or a newspaper and more like a company computer, the need for more than the out-of-the-box security would be clear. Here are some simple dos and don’ts that users and administrators should be aware of that can increase the security of the iPad.

Dos

  1. Locking the device. The iPad can be configured to lock the screen at a predefined interval similar to the screensaver setting on a computer. When the device is locked a password is needed to unlock the device. The iPad can also be configured to delete all data if an incorrect password is entered too many times.
  2. Encryption. iPad data can be encrypted however the encryption used on the iPad is currently vulnerable to some attacks. Still, an encrypted iPad is better than an unencrypted one and we await patches from Apple to resolve the vulnerabilities.
  3. Virtual Private Network. Use a VPN when connecting to a corporate network. The iPad ships with Cisco VPN software so that a secure tunnel can be created for connecting to another network. The VPN works with common IPSec, PPTP, and L2TP VPNs.

Don’ts

  1. Jailbreaking. Some users desire features that are not included in the official iPad operating system so they go through a process called “jailbreaking” where a new operating system is loaded onto the device or the operating system is modified so that these features become available. In the process of jailbreaking the device, however, many new security holes can be created and it is difficult to update the device when newer versions or patches are released. Newer versions and patches often correct recently discovered vulnerabilities so those that have been jailbroken will be susceptible to these vulnerabilities.
  2. Sharing. The iPad is a single user device. It does not have the capability of letting multiple users log onto it so if the device is shared with someone else all the data will be available to them. If possible, do not share an iPad that is used for work purposes with others.

As the popularity of the iPad continues to increase more and more companies will be faced with the struggle to secure the data users access via iPads. Executives and employees need to think outside of just the productivity and the coolness appeal of the iPad and look at the security concerns of the device. The tips here can help. Consider educating your employees on iPad security best practices.