RiskUKOctober2017
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Mobile Technology: Risk Management for BYOD and The Cloud<br />
Warrington continued: “It’s that balance of<br />
making sure you have the security right. If you<br />
don’t put some kind of policy in place then<br />
people will work around the situation in any<br />
event. They’ll find a way. Your workforce is like<br />
water in that it will always gravitate towards<br />
the path of least resistance. If you turn around<br />
and give people in your working environment<br />
the kind of workloads where they’re having to<br />
operate from home at weekends or while on the<br />
move then you must accept the fact that, unless<br />
you put proper rules in place, they’re going to<br />
do whatever works best for them.”<br />
Core to the introduction of a BYOD policy will<br />
be to give users access to the processes they<br />
need to do their jobs. This involves more than<br />
just securing endpoints in the right way. Steve<br />
Armstrong, a SANS Institute instructor, advises<br />
against relying purely on endpoint solutions,<br />
and instead to “think about controlling your<br />
data before it’s sent to the endpoint.”<br />
You need to think about what data you’re<br />
replicating. Is it reliable? Is it secure? Does this<br />
person actually need access to that data? “It’s<br />
good to have endpoint security,” stated<br />
Armstrong, “but don’t think you’ve just<br />
outsourced the problem.”<br />
EMM comes into play<br />
That access needs to be managed and enforced<br />
with what’s known as Enterprise Mobility<br />
Management (EMM). EMM helps to prevent<br />
unauthorised access and establish acceptable<br />
behaviour for mobile IT, partition accountability<br />
and address the problems of lost and stolen<br />
devices as well as what to do when an<br />
employee and an employer finally part ways.<br />
The simplest EMM solution for the widest<br />
range of devices will be the one that works<br />
best. To be sure, any solution that’s too<br />
complex or restrictive is doomed to failure.<br />
Back in 2014, another study by Gartner<br />
predicted that 20% of all BYOD policies would<br />
fail due to overcomplexity.<br />
Access management must be disciplined.<br />
People (including guests) and devices that<br />
don’t require access to areas of your business<br />
should not have access. It’s as simple as that.<br />
The proliferation of admin rights for regular<br />
users across global organisations is a regular<br />
cause of security breaches. Some EMM<br />
solutions make good use of container security<br />
which effectively separates the data of<br />
employees and enterprises, even when working<br />
on devices that are brought in from home.<br />
Network access control solutions and strong<br />
SSL VPNs will be critical to the adoption of<br />
BYOD, affording users access to what they need<br />
while protecting the business from security<br />
“Survey results published by Strategy Analytics have<br />
shown increasing fears around BYOD, with 10% of those<br />
professionals quizzed suggesting they expect the use of<br />
BYOD-enabled tablets to decrease due to the EU’s GDPR”<br />
risks. Bear in mind that technological solutions<br />
are necessary, but not quite sufficient enough<br />
for an effective BYOD policy.<br />
Humans may be your weakest point, but<br />
they’re also your most critical aspect. They’ll<br />
need to be educated about security cleanliness,<br />
what they can and cannot do on a company<br />
network and how they might work not only<br />
efficiently, but also safely.<br />
Employee perspectives<br />
When looking at the issue from the point of<br />
view of the business itself, it’s easy to forget<br />
about the perspective of the employee. The<br />
benefits of a BYOD policy cannot be taken as a<br />
‘given’ when it comes to employees. They need<br />
to be assured that their privacy will be<br />
respected, just as employers would expect their<br />
security policies to be observed.<br />
Moreover, finding out what employees want<br />
and, just as importantly, what they actually<br />
need from such a policy will only serve to<br />
create a more agile and workable document<br />
which is easier to stomach.<br />
Much of this comes down to education, itself<br />
a fundamental aspect of implementing BYOD.<br />
Education is absolutely critical to the future<br />
safe working of BYOD within your organisation.<br />
In essence, BYOD has to orbit around the<br />
very subject of a BYOD policy: the user. Here,<br />
simplicity is king. Complex policies will mean<br />
inefficient working, blocks to productivity and<br />
hard-to-follow instructions. They’ll merely<br />
increase the likelihood of the user finding some<br />
way of circumventing a cumbersome security<br />
policy and possibly opening up your<br />
organisation to compromise.<br />
What about the future?<br />
Looking ahead, new developments are being<br />
made in BYOD that will allow the introduction<br />
of Artificial Intelligence in workplaces, thus<br />
removing much of the scope for human error<br />
that BYOD sometimes risks. Bring Your Own Bot<br />
(or BYOB) has been touted as the future<br />
iteration of BYOD, with the arrival of intelligent<br />
personal assistants like Amazon Alexa.<br />
BYOD provides a new challenge to security<br />
professionals and one that’s not entirely<br />
avoidable. However, a forward-thinking BYOD<br />
policy will plug security holes far more<br />
effectively than if you choose to ignore them.<br />
Adam Jaques:<br />
Technologist at Pulse Secure<br />
25<br />
www.risk-uk.com