10 BYOD Lessons For Business from Higher Ed – Commentary by Paul Hill

August 1, 2013 — InformationWeek

The BYOD, or bring your own device, phenomenon is taking businesses by storm — and sometimes by surprise. But higher-ed IT departments have been dealing with BYOD for years now. In fact, they have a thing or two to teach the business world about effectively managing and securing an ever-changing mix of user-owned devices. Read the article

Mobile Devices: Do you know where your data is?

Most companies have policies that restrict what applications employees can install on desktops and laptops. Also, most companies have implemented technology controls to help enforce such policies.

Fewer companies have implemented similar controls on company owned mobile devices. Within companies that have adopted a Bring Your Own Device (BYOD) strategy for mobile devices, only a small percentage have created documented lists of approved or prohibited applications that may be installed.  And, still fewer use MDM tools to enforce such decisions on employee owned devices.

A number of companies document some general guidelines regarding prohibited applications in their policies. Such guidelines are usually addressing specific risks including data leakage or loss, reputation damage, and liability due to copyright infringement although they are rarely explained to employees in this manner.

Many guidelines prohibit peer-to-peer file sharing apps including BitTorrent, uTorrent, and Limewire. Typically, guidelines will also dissuade employees from using consumer grade cloud storage services such as iCloud, Dropbox, SkyDrive, and Google Drive.

Unfortunately, few companies discuss additional applications that leverage cloud storage, or adequately educate employees about the risks of using cloud storage aimed at the consumer market.  This creates a situation where employees, seeking to optimize their productivity, will adopt an attitude of begging forgiveness later instead of seeking permission before proceeding.

Applications that provide synchronization services across devices typically use some form of cloud storage. The trend is that more and more applications are doing this.  In some cases it may be obvious, in other cases users may not be aware how and where data is being stored.

Here are examples of some applications that either use cloud storage, or leverage cloud storage to provide additional integration capabilities with other applications:  SketchBook Pro, WeatherPro, PDFpen, Keynote, iBooks, Camera+, Contacts, Onenote, JotForm, Evernote, Zapier, UberConference, KustomNote, Azendoo, LiveMinutes, FileThisFetch, QuickOfficePro, GimmeBar, IFTTT, InSync, AutoCad WS, Nivio, Balsamiq Mockups, SmartSheet, SugarSync, Hoccer, Dictadroid, and CloudOn.

Companies should also be aware that dictation services, transcription services, and systems that perform voice recognition typically store data on the vendor’s servers.  The software developers creating these services value a large data set from a variety of speakers in order to tune, enhance, and improve their ability to perform speech recognition.  It has been widely reported that Apple retains voice queries submitted to Siri for up to two years, although Apple says that after six months it disassociates the voice clips from the data that can be used to associate the clips with the original device from which the query was submitted.

Examples of voice transcription, recording,  and voice recognition applications: Siri, Dragon for Salesforce, Dragon Dictation, PowerScribe 360, SpeakWrite Recorder, Evernote, Voice Assistant, ShoutOUT, UberConference, and Winscribe.

Many of the example applications in each category also provide facilities for easily forwarding information to social media systems including Facebook, Twitter, and LinkedIn.

Companies do need to know what applications their employees desire to use, how the applications will store or synchronize data, and evaluate the risk.

6 Apps Your IT Guy Hates – Commentary by Paul Hill

June 24, 2013 — Inc.

Do you count on these apps for everyday business tasks? Maybe you shouldn’t.

The amazing thing about mobile apps, cloud storage, and living on the Web is that information is always at your fingertips. Unfortunately, often that means your data is not far from hackers’ fingertips as well.

Here’s a round-up of the high-risk apps that could be easy prey. Read the article

The first simple steps for Mobile Device Security

Many of our customers have mature security programs that address mobile devices with a wide range of controls.  However, many small businesses don’t have fully developed security policies and are trying to determine what first steps are the most practical that they can take to secure their mobile devices.
The two most basic and most repeated steps to secure data on mobile devices are still the most important first steps to take:

1. Require the use of a PIN or passphrase to access any application or data on each mobile device
2. Configure mobile devices so that they can be remotely wiped

Employees really should be taught to assume that sooner or later the device they are using will be lost or stolen.  A PIN won’t defeat someone with the device in hand from gaining access to the data on the device, if they are determined to do so.  However, a PIN should delay someone from accessing the data on the device long enough for employees to perform a remote deletion of the data, if reporting of the loss or theft is done in a timely manner.

Over time, mobile devices tend to be used on a number of wireless networks and cellular networks that may be insecure.  It is important to protect communications from eavesdroppers.

3. Use a VPN to ensure all communications are encrypted, protecting the traffic from eavesdroppers or tampering

Requiring the use of a corporate VPN for all mobile device traffic will also enable a company to perform traffic analysis and enforce Data Loss/Leak Prevention (DLP) controls, and block access to forbidden sites, if the company has such controls in place.

Most enterprises will prohibit employees from using consumer grade cloud storage services such as iCloud, Skydrive, Dropbox, or Google Cloud Storage.  If the use of these or similar services is allowed:

4. Use a password that will withstand brute force attacks for any cloud storage services and do not reuse the password for any other services or accounts

Companies that do prohibit employees from using consumer grade cloud storage services should educate employees about the risks and what applications are prohibited.  There are many applications that utilize cloud storage without necessarily explaining to the users how features leveraging cloud storage is utilized.

5. Do install anti-malware defenses where appropriate
6. Do not allow jailbreaking of devices

The large number of mobile devices in use are attracting malware authors.  If the mobile device platform has an applicable anti-virus or anti-malware package available it should be installed.  Apple believes their walled-garden approach to software installation negates the need for anti-virus software and they do not permit any such packages to be sold via the App Store.  Of course, that approach only works as long as all software available to consumers will be examined, vetted, and approved by the vendor.

Companies desiring to address a wider range of risks will likely need to impose many more controls.  Mobile Device Management (MDM) platforms provide a variety of additional controls and finer granularity of the controls listed above.  The Blackberry platform still provides the greatest variety of controls, offering enterprise administrators over 450 policy settings.  Microsoft’s ActiveSync mailbox policies defines 41 settings, although not all of the settings can be applied to all device platforms.  Other MDM products typically provide fewer settings than those available from a Blackberry Enterprise Server (BES) but more options than available via ActiveSync mailbox policies.

MDM tools are limited by the features available on the device platform, and at times by the capabilities enabled by the carrier.  Companies that desire to support multiple device platforms may need to operate multiple MDM systems.

How to Keep Patient Information Confidential in the Digital Age – Commentary by Jeff VanSickel

May 10, 2013 — SurgicalAesthetics

Medical practices across the nation are increasingly using digital tools to track patient health records, communicate with patients and collaborate across clinical specialties. But with the rewards of convenience and efficiency come the threats of potentially compromising patients’ privacy and exposing sensitive data to hackers or identity thieves.

Digitization is a fast-growing trend. About 30% of physicians have already implemented Electronic Health Records (EHRs), and 14% plan to implement an EHR system in the next three years, according to “The Future of Health Care,” a national survey of more than 5,000 physicians conducted by The Doctors Company (thedoctors.com). When making such a shift, healthcare providers must take pains to ensure their data is safe. Read the article

Companies get tough as gadget risks spike – Quotes by Paul Hill

April 19, 2013 – Boston Business Journal

Mary K. Pratt, Special to the Journal

Steve Snyder, the chief information officer for the Massachusetts Convention Center Authority, knows the workers in his organization cover a lot of ground on a typical day. So he equips them with iPhones and iPads, allowing them to work as they move around the MCCA’s 1.7 million square feet of space.

But there are limits to what he’ll allow.

There are work applications on the devices, but no data is actually stored on them. Users must enter passwords to activate their devices, and they must do so again if they’ve left their smartphones or tablets idle for more than five minutes. He also uses mobile-device management software, which allows him to erase any data on any device that is lost or stolen.

Snyder said he still worries more about hackers trying to break into the MCCA’s primary, back-end network, but he acknowledged that mobile devices present new concerns when it comes to protecting the corporate environment.

“If you have a device where you don’t enforce these rules, then someone could do real damage,” he said.

The financial security risks posed by mobile computing have exploded with the advent of smartphones and tablets that are increasingly essential to the way modern businesses operate. Indeed, Gartner Inc. predicts that 1.2 billion smartphones and tablets will be bought worldwide this year. Read the article

Paul Hill of SystemExperts on BYOD’s Impact on Workplace Training

April 8, 2013 – Training Station

As part of a series of articles on this blog we started last month on the impact of BYOD (Bring Your Own Device) policy is having on workplace learning and development, I spoke recently with Paul Hill, Senior Consultant for SystemExperts, an important network security consulting firm.

Paul Hill has worked with SystemExperts as a principal project consultant for more than twelve years assisting on a wide range of challenging projects across a variety of industries including higher education, legal, and financial services. Previously, he was a member of the IT Department of the Massachusetts Institute of Technology, and is recognized as one of the industry’s foremost experts in Microsoft technology. Read the Article

BYOD & Training

In my experience employee training has been one of the business drivers that introduces tablets into some organizations.  Employees have indicated an interest in using tablets to review training materials and many training managers have responded well to the feedback.  Typically an initial pilot program will use company owned and managed devices, temporarily loaned to employees for the purposes of training.  It is not unusual for the training managers to find that the response is overwhelmingly positive and user demand quickly outstrips the capacity provided by the initially purchased company owned devices.  That often leads to a discussion about BYOD.  One could say for many organizations, training is the application that gets the camel’s nose into the tent when it comes to BYOD.

For many industries, the material contained in training material may be extremely sensitive.  Consider the training material addressing security and IT risk management for a company in the financial services sector.  The material may reveal the current threats that are of the most interest at the present time.  It may reveal how the company responds, specific email addresses, roles, responsibilities, and phone numbers.  All of this might be useful information for an attacker launching a spear phising attack.  For other industry segments, training materials may reveal valuable intellectual property.

In such situations, the organization should determine what level of protections are necessary what will be the implementation strategy.

Some organization may decide to avoid BYOD device management, and instead concentrate on managing access to corporate content.  This may work by avoiding storage of the training material on the device.  However, with this approach employees might need WiFi access during the review of training materials.

The other strategy gaining the most attention in the circles of regulated industries is the use of granular device management, and containerization.  By using containerization, data can be stored on the device, but the employees will be prevented from transferring the content to other parties or services.  This scenario is highly desirable if there is need for the employees to be able to review the training material while offline.

In order to make an informed decision about BYOD decision makers need to understand the nature of the information and how it relates to corporate data classification and data handling policies. They also need to make decisions about usage patterns.  Then they can work through the issues of specific device management strategies and review the options available.

This article was originally posted on: http://trainingstation.walkme.com/paul-hill-of-systemexperts-on-byods-impact-on-workplace-training/#.UWLRl5OyDzy

How To Improve DBA And Security Team Relations – Quotes by Brad Johnson

April 3, 2013 — Dark Reading

If ever there were an “odd couple” tension of Oscar and Felix proportions within the IT operations community, it would be the mismatch between database administrators (DBAs) and the security pros tasked with managing risk on the data stores the DBAs keep humming. DBAs are “performance junkies,” according to John Kindervag, principal analyst for Forrester Research. Meanwhile, many IT security professionals came up through the ranks of network administration ranks and know very little of the arcane world of fields, tables, and queries. Read the article

DBAs, security pros can learn to get along – Commentary by Brad Johnson

April 3, 2013 — FierceCIO

The ‘Oscar and Felix’ of IT must find common ground

Database administrators and security pros are integrally involved in securing data, but the two camps can seem like the “Oscar and Felix” of IT operations, writes Ericka Chickowski at Dark Reading. The two disciplines tend to approach data from different knowledge bases, backgrounds and goals, but they can learn to find common ground that will improve database risk management.

“DBAs tend to view their work from the perspective of a normal user while IT security staff tends to look at DB or web functionality from the perspective of an intruder. The former is trying to do their job, the latter is trying to ‘break in’ to get access to data or services that were meant to be controlled or private,” says Brad Johnson, vice president at consulting firm SystemExperts. Read the article