Look Backward to Be Future-Ready for BYOD

Monday, May 11, 2015

Rebecca Herold

65be44ae7088566069cc3bef454174a7

What does the past teach us about how to #befutureready in BYOD?

During the last half of the 1990s there was concern for the growing use of employees’ own home desktop computers to dial-in to the corporate network from home. Thousands of articles and hundreds of conference sessions discussed the associated risks, and then how to mitigate them through documented policies and the use of new tools. Soon after 2000 passed the concerns expanded to employees using their personally owned laptops, not only outside of the office, but even bringing them into the facilities to use instead of the corporate-issued computers. Thousands more articles, and hundreds more conference sessions discussed how to address the risks.

Just a few short years later smart phones started being widely used…thousands of more articles and hundreds of more sessions. And soon employees were using not just one but multiple of their own smartphones, tablets, laptops, wearables such as Google Glass, fitness trackers, and now smart watches to use for not only personal activities but also for work activities.

The types of new technologies that employees are using within work environments and for business activities are going to continue to grow exponentially. Their personal data is getting more mixed with the business data on those devices. How can organizations get future ready for these increasingly high tech employees? How can they keep the business data separate from the personal data? Can they even do this anymore?

Hillary Clinton got a lot of scrutiny recently for how she mixed her personal and business emails on her personally owned device. Why? “I opted for convenience.” This is not a new situation; I’ve seen employees using their personal emails for business (as well as seen the many problems that causes) since the Internet started to be widely used by the general public in the late 1990s. It is still a problem that gnaws at every information security manager’s craw.

Politics aside, the Clinton email situation is a fairly uncomplicated information security and privacy situation for businesses to deal with when you consider and contrast that situation with the quickly increasing and complex ways in which employees are connected to…

  • the Internet,
  • directly to other individuals,
  • unlimited numbers of unknown others slurping data through their mobile apps, and
  • to growing numbers of other smart things that are automatically taking the data generated and passing along to unlimited others.

This is complicated by the fact that these workers are increasingly doing work remotely, away from the company networks, and outside of the facilities and purview of their managers, which exponentially increases the risk to all the business information they are accessing. Flex work is on the rise. More and more business critical information is located on employee computing devices away from the office, and away from their homes, and in many locations and situations that increase the inherent risks. I could write a book on this topic. But for now, consider just a couple of the challenges businesses are struggling with for their always-connected employees:

  • How to ensure business-related documents and messaging can be accessed when necessary on employee-owned devices and mail services.
  • How to keep employees from taking intellectual property, such as client/customer lists and communications, and business secrets, with them when they leave the organization.

Get future ready for high tech employees

All the new gadgets and tech, many of which are increasingly part of the Internet of Things, that employees are now simply using, with no questions asked and no parameters set, increases the security risks and every business’s cybersecurity attack surface.

So where to start? Do this.

A. Determine your risks.

Do a risk assessment that includes, among other actions, answering the following questions:

  1. What types of devices (computing, storage and smart) are employees using? How many of them are owned by the business, and owned by the employee or others?
  2. Which ones are used while doing work activities?
  3. Which ones collect data in some manner?
  4. Which ones store business information?
  5. What mobile apps are used on the devices? What data are they collecting, and to whom are they sending/sharing data?
  6. Where are the devices being used?
  7. What security controls are used in all those locations?
  8. Who has access to all the data?
  9. How can data be removed from those devices?
  10. What kind of training and awareness communications do employees receive for using all types of devices?
  11. What types of confidentiality contracts do employees sign when starting work?
  12. What are employees required to do when leaving employment with the business?

B. Establish documented policies and procedures.

Now you need to establish documented policies to mitigate those identified risks to acceptable levels, providing the rules for all the types of tech that your employees use that could impact your business. Then document procedures to support those policies. Remember, if your policies and procedures are not actually documented (“Aw, but we tell each other what to do; it’s an unwritten policy!”), they don’t exist; at least to clients, regulators and auditors who will review your information security and privacy programs. Policies and procedures for the issues related to employees using their own devices in a wide range of locations should include:

  1. Requirements for employees to sign non-disclosure and confidentiality agreements upon start of employment.
  2. Requirements to get data from computing devices when employees leave the company.
  3. Clearly worded requirements for the types of technologies that can and/or cannot be used when doing business activities.
  4. Clearly worded requirements for where business information, including information about customers, employees, patients, and other types of personal information used within the business environment, can and cannot be posted, shared, stored, etc.
  5. Employee exit procedures to review the employees’ legal obligations for not using the data for other purposes to ensure the soon to be ex-employee understands the things those folks cannot do with the business information they had access to, and the legal ramifications of taking business information and using it elsewhere.
  6. Requirements for employees using their own devices, in unlimited locations, to get training for the security and privacy requirements.

C. Identify tools to support the policies and procedures.

There are a wide range of tools to consider such as:

  1. Encryption for data at rest, data in transit, and data being collected.
  2. Data logging tools to track business, customer, employee, patient and other data that is related to the organization
  3. Remote data wipe tools to remove data from ex-employee, stolen, and lost devices.
  4. Firewalls and anti-malware tools required on all types of devices.
  5. Performing periodic privacy impact assessment (PIAs), risk assessments, and audits.

D. Provide training for the requirements.

Your employees will not know what to do unless you provide them with effective training. Providing effective training is key; don’t just point employees to a document and call that training…it is not. There are many ways to provide effective training.

E. Send occasional awareness reminders.

The longer it has been since training, the fewer employees will think about how to secure information and protect privacy. You must provide ongoing occasional communications to remind employees of the need to work in a way that protects data and privacy. There are many ways to provide ongoing information security and privacy awareness communications.

F. Monitor compliance.

If you establish rules for how to use personal devices, and how to manage business data along with personal data, you need to make sure those rules are effective. You can’t just put the rules out there and assume everyone is following them. Some will choose not to, certainly, but then there will be others who didn’t understand or notice the rules, those that will forget the rules, and those that will make mistakes that will create incidents and even breaches involving business information. You must monitor the effectiveness of your policies and procedures for how employees must work with their own devices, in every location.

The bottom line for being future ready for high tech employees…

Businesses must keep up with the times to know the current and emerging risks based on current and emerging public trends for using a wide range of technologies. But it’s not as if we don’t have a roadmap that is well-established, given the issues we’ve been addressing for years. What’s before us is to must make sure the rules for using such technologies are documented, and then ensure those rules are followed.

This was cross-posted from the Privacy Professor blog.

9039
Budgets Enterprise Security Policy Security Awareness Security Training General PDAs/Smart Phones
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.