Does your BYOD policy ensure data security?
Addressing the consumerization of IT in the workplace is not an easy task. The nuances of usage and the complexity of tracking things like features and settings, bugs and vulnerabilities between devices and operating systems makes it a challenge to anyone managing a BYOD policy. We note some key risks your policy should not be ignorant of.
Vulnerability in OS X
In adding to the controversy of Apple blocking custom development for Mac operating systems with its Gatekeeper utility, a vulnerability was discovered in OS X that would allow unsigned developers to bypass app restrictions. MacBooks run on OS X and since laptops are becoming more popular with the global BYOD trend, Apple responded quickly with a patch. But, Patrick Wardle, the head of research at Synack and the original vulnerability discoverer, says that the operating system still contains other vulnerabilities that could pose a risk to data security.
As reported by The Register.co.uk this month, Andrew Avanessian, VP at security tools firm Avecto says, "... many of the security mechanisms built into OS X are not suitable for enterprise-level security. With Gatekeeper being simply bypassed, it is time for organisations to consider layering extra defences on top – such as privilege management and application control – in order to mitigate attacks and prevent unwanted content from executing."
Vulnerability in Android
Apple fanboys will be glad to know that Android is no treat either. Most notably is the Stagefright bug which affects Android versions 2.2 (Froyo) to 5.1 (Lollipop). (See more version names here.) Stagefright basically results in code being executed when the preview of a video received in an MMS is generated. Said code could easily be made malicious by an attacker and will be executed by the device even without the user actually watching the targeted video.
A quick trip to AndroidVulnerabilities.org shows a steady increase in the number of "insecure" Androids of the past few years. Some of this is owed to the fact that manufacturers aren't releasing Android updates for their devices fast enough even though new versions are being released by Google. Since Android is projected to be the mobile operating system of choice, over Apple's iOS and Microsoft's Windows, for the next four years, it should be ringing the data security alarm bells for BYOD policy makers.
Devices on the Internet
Ipsos reported that 65% of smartphone users in the US intend on using their devices to do some shopping this holiday season. It's worth considering how this trend could impact your data security and whether your BYOD policy accommodates this. At the very least, it could be worth restricting online shopping sites to a trusted list.
BYOD policy tips
From laptops to tablets, operating system providers like Google, Apple and Microsoft are fighting for their reputations when it comes to eliminating bugs in their software and patching vulnerabilities. If your company has decided to adopt BYOD, they'll be bringing the fight to your doorstep. Your first line of defence is to clearly define and communicate a BYOD policy. To help you on your way, we've borrowed this brief outline from the guys at CIO.com of key aspects for your BYOD policy:
- Specify what devices are permitted
- Establish a stringent security policy for all devices
- Define a clear service policy for devices under BYOD criteria
- Make it clear who owns what apps and data
- Decide what apps will be allowed or banned
- Integrate your BYOD plan with your acceptable use policy
- Set up an exit strategy for employees leaving or no longer using a device