Always-on access to work for employees comes with always-threatening security risks
One of the controls that appears in ISO 27002, titled Information technology – Security techniques – Code of practice for information security management, suggests that limiting the period during which connections to computer services are allowed reduces the window of opportunity for unauthorized access. However, the current practice of BYOD, the always connected employee, and wide availability of laptops, means that few organizations currently limit when employees may access systems or services.
The risks of associated with mobile devices and BYOD can be categorized at a high level into a small number of buckets. These include:
- Information disclosure
- Malware vectors
- The cost of eDiscovery
- Liabilities due to damages to employees
Information disclosures can happen for a variety of reasons:
Email is one of the most common avenues for information disclosure. It is a very convenient method for people to share information either within the body of the message or as an attachment. Some people use email as an ever growing file cabinet for documents. Without Data Leak/Loss Prevention (DLP) controls people can send confidential or sensitive information outside the company perimeter, either to a personal account or the account of someone at another company. DLP features may prevent certain types of information being sent via email, or limit the volume of information that may be sent.
The ubiquity of cameras embedded in phones, tablets, and many laptops also means that employees or visitors may easily copy any information sitting in plain sight. Many of the devices may be configured to automatically upload photos or videos to consumer cloud storage or social media sites. For this reason, “clean desk” policies are more important than ever. Companies with higher security requirements may even resort to mobile device management (MDM) systems limit the use of cameras by employees in specific buildings or locations.
ISO-27002 also suggests that equipment, information or software should not be taken off-site without prior authorization. However, most organizations grant de facto authorization to remove equipment when issuing laptops or other mobile devices, supporting BYOD. The unfortunate side effect of mobile devices is that they become lost or stolen much more frequently than the traditional desktop or server.
In order to mitigate the risk of lost or stolen devices there are several controls that should be mandated by policy. All devices, including smartphones should require a PIN or passphrase in order to gain access to the system or its applications. All mobile devices, including laptops, should encrypt data stored on the device. All mobile devices, including laptops, should be configured so that they can be remotely locked, wiped, and tracked if reported lost or stolen.
ISO-27002 has long advocated that companies have through policies and procedures regarding the disposal and reuse of computers and other systems that contain persistent data storage. Once again, BYOD trends make this an important issue. The number of devices has greatly increased, storage capacities are constantly increasing, and it often seems like some people are getting a new phone or tablet every year, or even more often. At the same time with personally owned devices the phones and tablets may be handed off to other family members, re-sold online, or traded in for new devices. Deleting all company information from devices being replaced is critical to prevent unauthorized disclosures. Acceptable Use Policies (AUPs) and security awareness training should remind employee to not only report lost or stolen equipment, but to also report any personally owned equipment that is being replaced.