BYOD employee freedoms compromise security, expert warns

Companies may be embracing bring-your-own-device (BYOD) strategies at a rate of knots, but without a more holistic approach to security even managed device protections can be easily or unintentionally circumvented by employees, one security expert has warned.

“If you take out your credit card and pay for a SaaS service, you can get around security,” Ian Yip, identity, security and governance business manager with security firm NetIQ, told attendees at a recent NetIQ security seminar.

“Employees may buy it from Amazon or get it for free from Google Apps, then collaborate with colleagues using their own personal identities. But Corporate doesn’t know about it, and they’re exposing corporate information into the cloud without IT knowing about it.”

Services such bring-your-own-cloud (BYOC) reflect the difficulties inherent in locking down corporate data using conventional means, Yip said, offering as another example the ability of modern mobile operating systems to directly post data to Facebook and Twitter directly, in circumvention of conventional Web-based access controls.

“As you move down the stack to the application and then down to the operating system layer, it’s harder to do security and harder to secure,” Yip said.

“There are more holes – and more and more technically savvy people joining the workforce. They may not be part of the IT department, but they can easily spin up an Amazon Linux server and decide to build everything on top of it without the IT people necessarily being aware.”

Indeed, while most organisations recognise the need to manage employees’ mobile devices to ensure their security, Yip says many companies making BYOD investments find their efforts stymied by users’ discomfort with the idea that their activities may be controlled or monitored.

One large and well-intentioned company, Yip said, bought 15,000 licenses of mobile device management (MDM) software to support all of its employees’ smartphones, but found that only 400 were actually taken up by employees that had declined to install the opt-in software. This left it significantly out of pocket and lacking the kind of security framework it needed to make BYOD work. This sort of experience, Yip said, highlights the need for companies to look past their preconceptions about BYOD – in particular the idea that it will save money. Rather, many employees may not only introduce problems through their mobiles – but will make them even worse when the users try to fix the problems themselves.

“It’s not a cost saving,” he said. “You’re actually just shifting the cost to having to deal with this new thing you have no control over. Don’t be mistaken into thinking this is a benefit.”

To ensure that BYOD, cloud and other user-empowering trends don’t compromise security, companies need to look past the devices and ensure that the data itself is appropriately protected.

This includes the enforcement of access control policies, encryption of data in situ and in the cloud, monitoring of data access, and implementation of identity and access management (IAM) frameworks that provide federation of identities across applications both online and off.

By focusing on protection of the data rather than fostering the sense of personal empowerment that BYOD can bring, companies can both reward employees for being forthcoming about their activities, and encourage positive behaviour that comes with the privilege of BYOD.

“The lines between personal and business are blurring,” Yip said. “Know what you are protecting, monitor and know what’s going on. Policy will make it easy to understand, and make it easier for people to do the right thing. Without it, you’re flying blind.”

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags BYOD security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts