Saturday, May 28, 2022

5 Point Checklist: How To Draft A Solid BYOD Security Policy

 


Looking back over the past two years, it’s hard to believe that COVID-19 pandemic happened.  When I first say the headlines, I thought it would pretty much stay confined to China.  But it did not, and it has impacted the world we never thought were possible, for the good and the bad. 

It was scary for those first few months, seeing the financial markets literally melt and everybody getting sick. 

Probably one of the biggest lessons learned from this whole thing is the Remote Workforce.  It seems like that everybody wants to work from WFH, and in fact, the people that I know of whom have received offers made WFH a condition of acceptance. 

But there is one common denominator with this, and that is remote workers (heck, really everybody for that matter) are now more glued than ever before in front of their smartphone.

In fact according to recent surveys, the following trends were discovered:

*Over 58% use their personal devices to do work related matters when they know it is against company policy to do so;

*84% of the businesses polled said that they have literally given up in trying to come with new strategies to keep employee’s personal devices protected. 

Given these trends, one could surmise that as long the Remote Workforce is here to stay, employees will continue to use their own devices to do their job. So what can, you the CISO, do to circumvent this from happening?  Unfortunately, there is not a lot, unless you want to enter your employee’s home and do all of the upgrades and patching to their personal device.

But we know that this will never happen.  So here are some tips:

1)     Force to have meetings on Zoom or Teams:

These two video conferencing platforms have come a long way since two years ago, especially Zoom with all of the security flaws that it had at the time.  In fact, I have started to use Teams a lot more now, and I am astonished as to all of the features it has with it.  For instance, you can dial directly to other coworkers, and even hold private chat sessions.  But back to the topic at hand, whenever there has to be a meeting, make your employees login through their laptop (or other company issued device).  If you discover that they have connected in through their personal device, kick them off and don’t let them log back in again until they have reconnected using the appropriate device.

2)     Try to make use of the Zero Trust Framework:

I have written about this before, so not much more to say.  From what I have been reading about in recent articles, some 80% of business entities are trying to adopt this framework.  Although there have been some setbacks, overall, it seems that there is some success coming out of it.  Heck, IMHO, it is far better to make use of at least three layers of authentication or more, that just one two, as the 2FA methodology prescribes.  Note that this kind framework is quite extreme, and you may not have all of the buy in from your employees.  But in the end, you the CISO have the ultimate responsibility for the protection of your digital assets.

3)     Implement the use of Mobile Device Management (MDM):

With this policy, you are making sure that each and every wireless device that is accessing the shared resources on your servers has been authenticated through the channels your have set forth.  If your employees are still insistent of using their own smartphone to reach such resources, then you have to tell them that their personal device has to be registered through the MDM tools and directives.  If not, then its plain and simple:  They won’t have access to shared resources.  It’s their choice.  In fact, many companies in Corporate America are adopting the MDM framework, and this market is expected to a high of almost $16 Billion by the year 2025.

4)     Make sure that only legitimate apps are downloaded:

This can be a dicey situation.  If you have given your employees a company issued device, then there is no worry about conducting random audits on them to make sure that only legit apps have been downloaded. But if an employee is using their own device, well then this becomes an issue of privacy rights violation.  I really don’t have a definite answer on this one, so it may be best to consult with your business attorney to see how you can go about doing this.

5)     Train your employees:

If you expect your employees to maintain good levels of Cyber Hygiene when it comes to using their personal devices for doing work related stuff, then you need to give them the ammunition to do so.  So in this regard, you need to be delivering at least on a quarterly basis security awareness training programs, with a focus on safe smartphone usage.  No need to keep these training programs hours on end, even just a simple 30 minute one will do.  Remember , you want your WFH employees to remember and apply what they have learned. In fact, this has been one of the key mantras of Cyber ever since COVID-19 hit.  But quite astonishingly, only 50% actually give any sort of formal training program for their employees, whether they are remote or not.  More information about this can be seen here at this link:

https://newblogtrustlook.files.wordpress.com/2016/10/trustlook_insights_q4_2016_byod.pdf

My Thoughts On This:

This concept of employees using their own smartphones to conduct work related matters is really nothing new, in fact I first wrote about this back in 2012.  It is called “Bring Your Own Device”, or “BYOD” for short.  In the end, given the work climate today, you want to keep your good employees by giving them certain freedoms that would not existed before.

But employees also need to come halfway in this regard, and allow some sort of safety scrutinization of their personal devices by you and your IT Security team, if they are going to use them for work related purposes.  Once again, I am not sure about the legal ramifications of this are, but I would say go ahead and try this policy the best you can.

The worst-case scenario your employee that does agree with this will probably just simply quit.  But of course, during this period of the so called “Great Resignation”, finding a new employee that is willing to abide by your security policies should not be too difficult either.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...