By Sanjay Castelino, VP and market leader, SolarWinds
While a BYOD (Bring Your Own Device) policy may make your employees happier and possibly more proactive, engaged, and productive, it also introduces significant new risks to your network security.
According to Gartner, enterprises are aware of only 80 percent of the devices on their network. Those 20 percent of unknown devices are inside the perimeter of the network, are unmanaged, and provide users with access. They are small, varied and highly mobile and they are loaded with their own applications, can act as WAPs, and often contain outdated firmware or are jailbroken. This can result in significant increase in network compromises.
Yet despite this, many organisations are still leaving the security of mobile devices that are accessing the company network solely in the hands of the users.
This was one of the key findings from a survey of 150 IT decision makers across a range of industries within the Singapore SME sector, which we recently conducted to gauge the impact of BYOD on SME staff in Singapore.
Only half of the IT professionals surveyed said that they and/or their organisation had developed an IT security plan for the business, with 47 per cent admitting that they placed the security and safety of mobile devices solely in the hands of their staff. Only a handful of respondents (16 per cent) reported that they provide staff with some assistance in securing their device, such as installing anti-virus or anti-spam programs.
This apparent laissez-faire approach to network security is at odds with the respondents’ recognition of the potential problems posed by BYOD: over 70 per cent of respondents agreed that mobile devices pose the biggest risk to network security, and almost the same amount (67 per cent) admitted to heightened concerns because their employees used their own devices rather than company supplied devices for work.
While it is imperative to educate employees on the risks, threats and vulnerabilities faced with BYOD, organisations must also take an active role in mitigating the level of risk posed by their employees’ mobile devices to the corporate network. This must go beyond merely providing advice and instructions, as users don’t tend to think about security on their mobile devices, and therefore most security measures are adhered to half-heartedly (if at all) without corporate intervention.
Organisations must ensure that the network is secure and can only be accessed by authorised users and devices. Authentication mechanisms need to be in place that can grant access to network resources such as secure data, servers, and databases based on user roles and permissions or device classes. Network Access Control (NAC) should be used to provide secure networking services to personal devices.
Employees must be instructed to be extra cautious when using personal devices within the corporate network, be given guidance on how to safeguard passwords and other credentials, and be educated on the potential security risks – for example, how these devices can become a gateway to launch malicious attacks on the organisation’s secure data and IT assets.
Your security in their hands? Really?
People can be careless. The number of forgotten phones and computers at airport security checkpoints is testament to this. People can also be nosey; they will look over your shoulder to see what you are working on.
On top of that, stolen login credentials usually account for the vast majority of breaches, and smaller organisations are especially affected by default or easily guessable passwords.
Apart from encouraging employees to create more robust passwords, what can SMEs do to bolster their network defences?
The first step any IT manager should take is to understand what applications and information staff actually need to access from their mobile devices, rather than opening up the entire corporate network. Some companies choose to operate a separate network specifically for mobile devices, with controls and restrictions applied to what can be accessed from the organisation’s primary network.
To protect their organisations from attacks, IT professionals should also follow these four simple controls:
Monitor event logs – If you can’t prevent a breach, you can at least detect it. The vast majority of breaches can be avoided if IT administrators take the time to do this.
Document and verify remote access – Go through your firewall, router, and/or VPN access control lists and rules and make sure they are as tight as possible. If you haven’t already implemented egress filtering, do so – if you can’t catch it coming in, maybe you can catch it going out and prevent situations you know shouldn’t exist.
Use tools to validate and monitor – Include automated tools that can greatly simplify security monitoring, such as network configuration management tools to centrally manage your firewall, router, and other device configurations and other policies; password databases that can provide new random passwords, limit access to passwords by user or group, or have a “check out” system where audit trails can also be formed; and asset inventory, so you know what you have and where it resides.
Evaluate the need for a formal Mobile Device Management (MDM) solution – MDM solutions provide a common management platform for the multitude of device types accessing your network. They enhance device security and can help monitor and enforce the security policies that you have defined. Make sure that the MDM solution that you evaluate supports multiple platforms including Microsoft, IOS and Android at an absolute minimum.
Risk versus reward.
It is important to consider the business need, rather than satisfying a wish list from employees, when it comes to formulating your BYOD policy. If, for example, there is nothing to gain in terms of productivity by providing access to part of the corporate network, but employees are requesting it just because it would make things a little more convenient for them, one should err on the side of caution and prevent remote access to this area (particularly if allowing access would markedly increase the risk of a security breach).
Essentially, the most important element of a robust security strategy around BYOD is that it is defined by rigorous analysis of the corporate network and data activity, as well as working in partnership with employees.
Sanjay Castelino is the Vice President of Product Marketing at SolarWinds. Sanjay leads the company’s initiatives around its end-to-end IT solutions for network, SIEM, storage and virtualization management and is responsible for product strategy and go-to-market efforts in these markets.