3 Tips to Secure Data in a BYOD Environment

By Eric Noonan • January 14, 2016

Bring your own device (BYOD) is the use of an employee’s personal mobile device, e.g., smartphone, tablet and/or laptop, to access a company’s data or network.  Once a trend, BYOD has gained wide acceptance across businesses succeeding in today’s markets.  Findings from Tech Pro Research in early 2015 indicated “74 percent of organizations [are] either already using or planning to allow employees to bring their own devices to work.” What is the main motivator for this movement? A study conducted by IBM found the main advantages of the BYOD environment were a rise in employee productivity and satisfaction as well as overall financial savings for the business. The benefits of BYOD are great, but what does it mean for the overworked IT environment already combating constant attacks on their network?

Ultimately, allowing employees to use personal devices to access company proprietary information opens the business to potential cybersecurity risks.  The risk of a non-company owned device being lost or stolen, lacking necessary anti-virus software, or accessing data that is not encrypted, all leave an organization’s data vulnerable and can lead to a data breach resulting in significant financial loss. As 2016 gets underway, the discussion on the protection of organization-controlled data becomes even more relevant.  With the growth of BYOD in 2015, it is not a question of how an organization can avoid the adoption of this movement, but rather how can a business mitigate the risks associated with it?  To address some of these concerns, CyberSheath has outlined 3 common industry best practices to begin the process of ensuring your data is secure within a BYOD environment.

3 Tips to Secure Data in a BYOD Environment

1: BYOD Policy

For starters, employees must have permission to use their personally owned devices for business purposes.  A good place to begin is with a strong BYOD policy.  The policy must clearly define the organization’s expectations of its employees when using their personal devices to conduct company business.  Requirements for employees, such as requiring anti-virus software on non-company devices, enforcing a two-step authentication or putting company proprietary information into secure content lockers, are guiding principles that offer increased security to an organization.  Industry educational institutions, such as the SANS Institute, encourage the use of policy development and describe them as the “practical steps necessary for defending systems and networks.”  Policies enable organizations to hold employees accountable for their actions.

2: Encryption

While policies provide guidance and permission to employees, policies in of themselves do not secure the data.  Encryption is one of many ways to secure data on a personally owned device.  In 2015 the Office of Personnel Management (OPM) learned the hard way the importance of encryption when discovered in hearings held by the House Committee on Oversight and Government Reform that “the data stolen in the massive OPM breach was not protected by practices like data masking, redaction, and encryption.” Encryption is an excepted best practice to meet compliance regulations that require the protection of data, and as expressed in hindsight by Rep. Elijah Cummings, D-Md. at the OPM hearing, “should become the norm.”

3: Training

The third most important tip for the BYOD environment is training.  While having a good policy in combination with strong encryption can protect the data, training brings it all together for the employees.  Training employees on policies, how and when to use encryption and secure content lockers, go a long way in the fight against data breaches.  Training enforces acceptance of the BYOD policy and employees can no longer use the reason “I didn’t know how” to secure my [data/mobile device/email/document].  While the above suggestions can be implemented relatively easily properly training employees on the policy and technology to support the policy is far more cost-effective than dealing with a data breach due to an uninformed employee.

How CyberSheath Can Assist Your Organization Mitigate the Risk of the BYOD Environment?

To start, as part of our Staffing and Residency service offering CyberSheath can provide the experts necessary, whether transitioning or reevaluating your current BYOD environment, to create the policies and procedures critical to securing your digital assets.

Cybersheath Blog

3 Reasons Why You Need a Privileged Access Risk Assessment

A privileged account is one used by administrators to log in to servers, networks, firewalls, databases, applications, cloud services and other systems used by your organization. These accounts give enhanced permissions that allow the privileged user to access sensitive data or modify key system functions, among other things. You can…

Incident Response – Learning the Lesson of Lessons Learned

“Those who do not learn from history are condemned to repeat it.” Over the years, variations of this famous quote have been spoken by everyone from philosophers to world leaders. The message — that we must learn from our mistakes or continue to repeat them — is also highly relevant…

What is DFARS 252.204-7012 and NIST SP 800-171?

With the Department of Defense (DoD) promising the release of an update to NIST Special Publication 800-171, it is imperative defense contractors understand what DFARS 252.204-7012 and NIST SP 800-171 Clause is and how noncompliance with the Clause will impact their business.  Compliance is mandatory for contractors doing business with…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Trace Security