Here is a guest post from Pierluigi Paganini. He is a security researcher for InfoSec Institute. InfoSec Institute is an information security training company now offering a mobile computer forensics course.
The IT landscape is dominated by the rise of paradigms such as cloud computing, mobile networking, and social networking, three concepts that have totally revolutionized the daily user’s experience on the web.
Users, in a more or less conscious way, have now become slaves of the concepts of mobility and connectivity, technological change has been rapid and has involved masses of people as never before. There are a billion people, acting as nodes in a global network and exchanging an unimaginable quantity of data, while ignoring the basic concepts of information security.
- Which means are used for the data transfer?
- Are the communications channels secure?
- Where is the user’s information hosted?
- What is the impact on user’s private and what is the impact of technological innovation for business?
All of these questions need careful reflection to avoid serious consequences for our data, for our digital identities, for our business.
Every day we read the world “BYOD” in many articles, but how much we know about it?
BYOD is an acronym for “bring your own device” and it refers to the fact that employees, business partners, and other users bring their own mobile computing devices, such as laptops, tablets, and smartphones, to the workplace for use and connectivity on the corporate network and for access to business data. The repercussions, from the security perspective, are extremely serious, because the absence of proper policies regulating the use of these devices exposes user and company to risk of data leak and cyber attacks.
These policies have to address the ways in which employees could use the devices once out of workplace, the mechanisms of access protection to be adopted, data encryption, data accessible by the mobile platform, and limiting the execution of applications that can be run outside the company (e.g., email client or data mining applications).
Suggestions for a secure BYOD policy
The proper management of mobile devices and their use by employees when outside is a critical aspect for the security of enterprises. Companies today may choose to be compliant to different standards and regulation; the majority of them, such as ISO 27001, already cover many aspects that could improve a BYOD policy.
Because the presence of mobile devices inside companies and government agencies has increased at an impressive rate, ordinary business relationships with other enterprises, such as clients and providers, require the definition and the adoption of a proper BYOD policy. Sophos proposed a document titled “BYOD Risks and Rewards” that reports that one in four devices used today for work are either smartphones or tablets.
Figure 1 – Sophos BYOD Survey
The SANS (SysAdmin, Audit, Networking, and Security) Institute in March 2012 published the whitepaper “SANS Mobility/BYOD – Security Survey.” The survey found that “only 9 percent of respondents felt completely aware of all mobile devices accessing their enterprise infrastructure and applications. At the same time, nearly 40 % felt they were fully aware of their devices, while nearly half did not have the level of awareness that they should.”
Figure 2 – SANS Institute -State of Mobile Devices Awareness