Anurag Kahol, CTO of cloud security company Bitglass, describes how to embrace BYOD without compromising the security of confidential information.
As the remote workforce continues to expand across all industries due to recent global events, the complexity of data security also has increased. To add to the challenge, BYOD (Bring Your Own Device) requires organizations to have visibility and control over personal devices being used by contractors, partners, customers, and suppliers.
What are the key issues at play in balancing flexibility with security? Recent research has revealed how companies have enabled the use of personal devices, their concerns around security, and the actions they have taken to protect data. Among the main headlines is that BYOD raises a range of security issues for organisations looking to balance the flexibility they offer with the risks they bring.
At the top of the list (cited by 63% of organisations) are concerns about data leakage and the possibility that users might download unsafe apps or content. This is closely followed by the worry that devices will be lost or stolen (55%), the possibility that BYOD will lead to unauthorised access to data and systems (53%), and the dangers posed by malware infections (52%).
Understanding the risks is the basis for developing a successful BYOD cyber-security strategy. By definition, organisations lack access and control over personal devices compared to their own IT estate.
For most organisations, physical access is required to secure mobile devices, but this is highly challenging when the devices are the personal property of an employee. Not everyone wants to hand over the PIN to their smartphone, for example, even when it’s to enable employers to increase security.
As a result, 51% of organisations lack visibility into file sharing apps, and a quarter still don’t have insight into email applications on personal devices. When asked what security capabilities they have in place for mobile enterprise messaging, 30% have no visibility or control over mobile enterprise messaging tools at all.
So, how is protection currently being provided for serious issues such as malware? Due to the challenges of securing BYOD via endpoint software installations, the ideal solution is to leverage agentless or cloud-based tools that can keep threats from infiltrating companies via personal devices. However, 72% of organisations either lack BYOD malware protection entirely or rely upon endpoint installations. Only 9% have cloud-based anti-malware solutions in place.
If that wasn’t concerning enough, the research asked organisations whether any of their BYO devices had downloaded malware in the last 12 months. The results were worrying: only 28% of organisations were certain that their users hadn’t downloaded malware over the last year, 42% weren’t sure and a quarter confirmed that malware had been downloaded via a personal device.
These are alarming results that must be given consideration. Organisations need a much more proactive and nuanced approach to deal with the security variables that come with BYOD proliferation.
BYOD: Build Your Organisational Defence
The increases in mobility, productivity, and flexibility within an organisation that stem from allowing BYOD are some of the reasons that it has been so widely adopted in today’s cloud-native world. However, malicious individuals and groups are keen to take advantage of common security deficiencies, such as corporate data being accessible from unmanaged third party devices.
We are faced with a conundrum. How do organisations embrace BYOD to increase productivity without compromising the security of sensitive information? With breaches on the rise and cybercriminals finding new ways to steal information, organisations must equip themselves with proper tools to protect their data from the downsides of the BYOD revolution.
The response should be to focus on comprehensive security solutions capable of addressing these vulnerabilities. There are four key starting points:
- DLP: To prevent data leakage, organisations can enable data loss prevention (DLP) capabilities for data at rest, as well as data in transit - even when it is being accessed by personal endpoints.
- Targeted remote wiping: Protecting corporate data on lost and stolen personal devices requires the ability to wipe them selectively, targeting and removing company information from user devices without agents and without affecting personal data. Full wipe can remove all content from a BYO device, but employees are often concerned about their privacy when full wipe is enabled.
- Contextual access control: To ensure data is being accessed securely exclusively by authorized users, IT personnel can utilise contextual access control, which governs access by factors like user group, location, and device type.
- Advanced Threat Protection: For stopping malware infections, organisations should turn to agentless Advanced Threat Protection (ATP) tools that leverage machine learning to identify and block zero-day threats at upload, at download, and at rest.
Although BYOD offers many benefits to organisations (such as flexibility and accessibility), the inherent risks associated with cloud-based systems must not be ignored. As remote access continues to sweep across the globe, enterprises must shift towards sound solutions that enable remote access in a secured fashion-in order to circumvent data leaks.
Anurag Kahol is CTO of cloud security provider Bitglass where he expedites technology direction and architecture. Anurag was director of engineering in Juniper Networks’ Security Business Unit before co-founding Bitglass.
Anurag received a global education, earning an M.S. in computer science from Colorado State University, and a B.S. in computer science from the Motilal Nehru National Institute Of Technology.