The Importance of a BYOD & Data Privacy Strategy
In this article, Telarus is grateful to have access to “those who know” what it means to deliver best-in-class Incident Response for large, sophisticated breaches and real-world Security Strategy development.
Tyler Ward of IGI, an award-winning cybersecurity organization specializing in services and software, joins us in this post to discuss the very real problem now magnified with the Work from Home (WFH) reality enterprises are facing today. WFH has introduced the real challenge of balancing employee productivity and access to resources with good cybersecurity hygiene. The challenge is amplified on many levels, a loose perimeter, larger Attack Surface, endpoint security, Data Protection, and many other realms compelling Leaders to think about a new Cybersecurity strategy, well beyond traditional tactical techniques.
Integrating BYOD—where employees access corporate data on untrusted, unknown devices to continue to be productive—means Data Privacy needs to be thoroughly re-evaluated, from policy to technical practice. Here we evaluate this real-world problem with solutions and guidance from the front lines where IGI fights the good fight every hour of every day.
Questions:
Dominique: What challenges does BYOD & Data Privacy bring to Organizations? Is this industry-specific?
Tyler: Bring Your Own Device (BYOD) is a not-so-new concept we are now looking at through a different lens. Fifteen years ago, when you brought your flip phone to work, things were rather simple and clear for the business. However, mobile devices are no longer a static and predictable object, rather they are a conduit for anything and everything and are constantly evolving. The devices of 2020 are mere portals into the wide world of technological creationism and can bring unwanted guests into the company. In the eyes of those who manage risk, this can be equated to leaving the front door open in our homes. We just don’t do it anymore.
Let’s look at a 2020 scenario: Someone is sitting in the conference room at a private board meeting for a public company, and the discussion is around stock pricing and a new merger. The chief revenue officer has their smartphone sitting on the table. The problem is this: we no longer know who may be activating that microphone, recording with their smartphone camera, or what kinds of malicious applications are running on that smartphone. Goodbye, flip phones. Hello, 2020 spy tools. This is the reality now, and we have to accept, mitigate, or transfer the risks.
On the side of privacy, we have privacy laws for different states, all 50 states have their own data breach notification laws, and we now have international regulations such as the GDPR (Europe), Data Protection Act (U.K.), LGPD (Brazil), and many more. Now, we couple these regulatory obligations with the fact that nearly all businesses are running global operations with customers everywhere and are sharing data with many other companies. The vast majority of businesses are out of compliance with some privacy or security regulation, and they don’t realize it (yet).
While different industries have their own governing set of privacy regulations such as HIPAA (Healthcare), privacy is touching nearly every single entity now. From sole proprietorships to multinational organizations, this is something that we all have to consider, assess, and act on.
Dominique: How do Policies map to and why do they matter for Data Privacy and BYOD?
Tyler: Policies are the guides for organizations and how they conduct operations. However, these are also significant catalysts for legal backing when the time comes to show good faith efforts to govern privacy and BYOD. One of the most significant impacts that I have personally witnessed was when a client was hit with a data breach, and their cyber insurance provider refused to pay because the company did not have a governing set of documentation surrounding information security. When companies apply for insurance policies, they must answer a series of questions. They will never see those questions again until they have a data breach in some cases. When they come back looking for evidence of those artifacts, they play a direct role in insurance payouts. This can be equated to not having an inspected vehicle and getting into an accident. Insurance companies may not be there to help in your time of need.
Dominique: What are the key considerations for Organizations when allowing Corporate Data on BYOD? What is the ideal vs. practical guidance?
Tyler: Ideally, organizations should buy, own, and issue devices to each employee. Additionally, they should have a policy on how employees can use that device and what they cannot do—that is BYOD management in it’s simplest form. However, being a realist, I understand that this is not so economically feasible for some businesses. Therefore, we must determine how we will manage the data that the company owns on a device that the company does not own. Mobile Device Management (MDM) solutions are great at the containerization of data and sandboxing of applications. Still, we must also realize that those devices can be carriers for some, particularly malicious content. Be wary of allowing unowned or unmanaged devices connecting to the corporate networks and applications.
Dominique: What about data destruction? Who has the right to destroy data, is it limited to just the corporate data or the entire data on the device, if the device ends up lost or posing a risk to the Org?
Tyler: In short, if the organization does not own the device, destroying data is a very nebulous area, to say the least. If they do not own the device, my recommendation is to get an MDM solution that containerizes the data and also have the employees sign a policy that grants the organization the right to destroy corporate data when required. If the organization does not own the device, then the destruction is limited to that of the data owned by the organization. We have many clients where employees lose their corporate and non-corporate devices. For both types of devices, you want to have the capability and policy-driven authorization to;
- Encrypt the contents of the device
- Set security policies on the device and data
- Remotely wipe the device or wipe all corporate data
Also, remember that if you implement an MDM solution on devices that are not owned by the organization, be very careful of GPS tracking. Tracking employee movements on their personal device is most certainly not a conversation that you want to have after the fact.
Dominique: What about control over the device becoming a surveillance device? Are there good security practices around installing 3rd party apps, guidance on devices that are more “trustworthy” than others, etc.?
Tyler: As we talked about earlier, these devices are being used to surveil organizations daily. When we have no control over the devices and software installed, it would be naïve to think that the malicious parties could not leverage the microphones and cameras. We must gain control over the applications installed on corporate devices and also follow a process for how we approve applications. This should be predicated on performing security reviews. In trusting applications, we simply have to do our homework. Believe it or not, malicious applications make it into the Google Play Store and Apple App Store. We have to do the research prior and follow the criteria for authorization.
We recently learned about TikTok’s ability to do some tricks with the iPhone. As stewards of security, we must come together and recognize that there are people out there that have alternative motivations when creating applications and software. Data is a valuable commodity, and we have to recognize that we are bringing risks into our organizations and exercise vigilance.