One day a platform is perceived secure, the next day a major flaw is found rendering the device or group of devices wide open to attack
The issue of BYOD is one of increasing concern due to the number of employees wanting to bring their own devices to the work place. This trend is adding to the risk of data loss and compromise within the smart city environment.
It is a highly complex problem with the most basic challenge being that not all personal devices can be protected using enterprise level security packages.
How do you separate personal and company information for example, when devices are attached to the network and synchronised? In our highly interconnected smart buildings, old, uncontrolled or vulnerable BOYD units can be used to gain access to the backbone network and launch a malware attack.
One solution, is to install appropriate software on the personal device that ensures that, when linked back on to the corporate network, the device is scanned for any non appropriate applications or settings, that may have been applied whilst being away from the network and only allowing reconnection once such material has been removed.
If employees are to use their own devices, organisations must ensure that Terms of Employment clearly state that any company information stored on personal devices must be removed from the device when the employees contract is terminated and, ensure that it is carried out.
It is also advisable to ensure that ‘at will’ access to the personal device is agreed, in order to conduct audits on content to make sure that there is no inappropriate information, or images, being stored that could be transferred onto its own networks. If such material were to transfer, then the company could find itself liable.
The security of a platform is a moment-by-moment evaluation. One day a platform is perceived secure, the next day a major flaw is found rendering the device or group of devices wide open to attack. Precautions need to be taken to ensure the device’s security is evaluated on an ongoing basis, rather than a perceived ‘this platform is better than that platform’ decision.
It is essential that device Operating System (OS) versions, are kept as up to date as possible, which is easier on some platforms than others, for example, the Android environment or the mobile Smartphone. Manufacturers using these OS platforms typically cease shipping updates for a device 12-18 months after the device has entered the market, as it is not in their financial interests to deploy the latest features on older phones. This leaves these Android platforms fragmented and out-of-date rendering such devices open to compromise.
Specific policies and controls need to be put in place to manage these issues and defiantly deny access to out-of-date devices.
A further issue in managing any BYOD option is that of compliance to regulations and, in particular, the new General Data Protection Regulation (GDPR) where personal data held must be protected and disclosed or, destroyed if requested. If such data is scattered around, not only in company machines but now BOYD units, the ability to comply with the rules will be very hard to meet and thus, companies will face large fines for non-compliance.
The issues surrounding BYOD are many and, in my opinion, out-way any benefits of allowing personnel to use their own devices. I would advise that the best solution is to say no!
Colin Tankard is managing director of data security company Digital Pathways, which is a specialist in the design, implementation and management of systems to ensure the security of all data whether at rest within the network, mobile device, in-storage or data in-transit across public or private networks.
If you liked this, you may wish to view the following:
Are you ready for the General Data Protection Regulations asks Colin Tankard, MD, Digital Pathways
Data holding is no longer something an organisation can take lightly, it needs serious thought and processes put in place
Learning from a cyber attack
Smart Cities World’s regular blogger and data security expert, Colin Tankard of Digital Pathways, dissects the recent malware attack