Happy Columbus Day!

 

We all want ready access to email and other critical apps from every device, on any network, all the time.


We want to use company equipment and home equipment interchangeably because we work from different locations throughout the day. As if all this wasn’t hard enough for your IT security team, just watch them start to lose their minds when you throw in some social media platforms. Their mantra is: you can’t have all of this and still be secure. But is that really the case?  In fact, with a few restrictions, a little software, and some common sense, most positions in many organizations should be able to achieve this level of flexibility and still remain relatively secure.

 

Let’s start with devices. Who doesn’t use a mobile platform, phone, or iPad® to conduct at least some business during the day? Many of us use these devices to check email, run IT alert apps, or business tools, like expense management or HR apps. In fact, according to Tech Pro Research, 74% of businesses are planning to use, or are already using, Bring Your Own Device (BYOD).[1]

 

Most businesses use mobile devices, especially if you count business-purchased mobile phones. Fortunately, Enterprise Mobile Management (EMM) makes it easy to secure corporate data and applications. Features in EMM include the ability to encrypt corporate data, manage applications that reside on the phone, force VPN connections, force a pin, and separate personal data from corporate data. Additionally, mobile devices are commonly used as a secondary factor for authentication and authorization.[2] It is much more convenient to use your mobile device as a soft token than carry around a key fob-based token. However, in some environments, personal devices are not considered secure enough and key fobs are required.

 

 

 

Mobile device risks

 

Mobile device risk comes from two primary threat vectors. The biggest risk is loss. If a device does not have a pin or strong password, all of its data can be accessed. Even if your phone is authenticated, some good forensics packages can still extract data from it. If critical data is stored on the device, add-on encryption is essential. The second risk is malware. Malware enters a phone from two primary vectors: mobile advertising and compromised open source libraries. Because advertising on mobile devices is less controlled, malicious actors can insert malware through this application programming interface (API). Open source libraries have also been known to be compromised, as we saw with Xcode just this month.[3] EMM can help with both these risks by limiting apps in the enterprise container, and enforcing pin number and password rules.

 

Using a home personal computer for work is less common than using mobile devices, primarily because fewer people work on personal computers these days. Some companies are moving toward using tablets for work, and others use virtual desktops, which allow employees to use their own computers. Even companies that require employees to use laptops or desktops purchased and issued by their IT departments rely on Cloud-based applications to get work done. With Cloud-based apps, it is difficult to preclude access to personal devices.

 

The issues that accompany PC use are slightly more complicated than issues associated with mobile devices. The most successful remote desktop implementations are those that really only use the PC for its keyboard, video, audio, and mouse functions. If you want to allow local data storage, you need a policy around encryption (for sensitive corporate data) and a way to ensure that the home computer is as secure as a corporate device.

 

We are now adding social media to the equation. The issues to consider with social media include company reputation, policy restrictions, malware, and ownership. Organizations want to protect their reputation, so they write social media policies that provide guidelines on use, posting, and reporting. However, you may not know that the National Labor Relations Board has some strict guidelines on what an organization can and cannot have in its policy. There are First Amendment issues with the right to associate and discuss work issues that can conflict with certain social media policies. Check out NLRB guidelines to learn more.

 

Next, make sure your policy includes clear guidelines on who owns the account. If employees are allowed to post from their personal accounts, provide a disclaimer they can use to clearly show they are stating their own opinion. Require all work-related communications to be issued from organization-owned and -managed accounts.

 

Finally, there is malware to consider. Malware that arises on social media is the same type of malware you might see on many websites. The difference is that malware spreads quickly if it gets onto a popular topic or image on social media. This is why it is so important to ensure that nothing containing malware gets posted. Actively scan posts to make sure they don’t have images or attachments, and ensure that your browsers are up to date with the latest patches. Lastly, avoid risky programs, such as flash, if at all possible.

 

In the words of Mr. Universe, “You can’t stop the signal.[4]


BYOD and social media are here for the duration. If we evaluate our risks, and plan our controls, we can connect with confidence and assurance.



[1] http://www.zdnet.com/article/research-74-percent-using-or-adopting-byod/

[2] http://searchsecurity.techtarget.com/definition/multifactor-authentication-MFA

[3] https://www.washingtonpost.com/news/the-switch/wp/2015/09/21/apples-app-store-was-infected-with-malware-from-china/

 

[4] http://firefly.wikia.com/wiki/Mr._Universe