Archive
Embracing BYOD and BYON to Reduce Risks
By Sarah Lahav, CEO, SysAid Technologies
The “bring your own device” (BYOD) trend has received a lot of attention in business circles, but BYON – “bring your own network” – is another security risk IT teams should be working proactively to address. In fact, BYON is a far graver threat to corporate security than BYOD, and the best way to counter the risks associated with BYON is to fully embrace BYOD.
Company IT professionals and security officers are right to be concerned about the risks of BYOD and BYON: Lax security practices such as failure to use strong passwords can put sensitive company data at risk when it is stored on employee devices. And the use of unsecured BYON connections can leave confidential data exposed when employees transmit messages or log in to company portals.
But trying to address the risks associated with BYOD and BYON by banning the use of personal devices in the workplace will ultimately prove to be a nonstarter. An increasingly mobile workforce is transforming the way business is conducted, and always-on, always-connected mobile devices are driving the change. In fact, industry analyst Gartner predicts that by 2017, half of employers will stop providing devices to employees altogether and require staff to use their personal devices on the job.
The reason many companies are embracing BYOD is that, in theory, it delivers a win-win: Employees win because they get to use the devices they choose that are increasingly an integral part of their daily lives, and employers win because BYOD expands access to employees and increases job satisfaction. But without robust IT support, neither employees nor employers can achieve a clear win. Instead, employees take chances with company data via BYON connections, leaving employers exposed to more liabilities, which transforms a potential win-win into a lose-lose proposition.
BYOD is inevitable. The IT team’s customers – their employer and its employees – are increasingly demanding the flexibility it delivers. So to address the risks, IT needs to embrace BYOD now, while the trend is evolving, and prepare for emerging technologies like wearables, which will affect enterprise security in the future.
IT departments can counter the threat of BYON by providing WiFi access for employee-owned devices, which gives IT professionals greater control over security. IT departments can provide across-the-board support for social platforms and apps, which will give them a chance to review security protocols. In return for enabling IT to gain greater control over device and network security, employees will receive support, creating a win-win scenario.
In a rapidly evolving technology environment, many IT teams are struggling to keep up, looking for ways to protect their companies and provide the services their customers demand. The BYOD and BYON trends pose daunting challenges for IT, and it’s understandable that the first impulse would be to try to keep the risks at bay by banning the use of personal devices on the job. But these trends aren’t a passing fad: BYOD is a sea-change in IT.
Because the use of personal devices in every facet of life is gaining momentum and will be bolstered by emerging technologies, the time is now for IT organizations to embrace and manage the change. As is often the case in business, identifying what the customer demands and shifting strategies to meet their requirements turns out to be a smart move – for the company, for the customer and for those involved in providing support.
Former employees: Gone but (passwords) not forgotten
Contributed Article: by Joe Siegrist, Founder and CEO of LastPass
Security is a buzzword right now – from cyber security to password security, it’s got everyone talking. When it comes to employees and passwords, IT departments try to take all the necessary precautions to ensure the business is secure. But what happens when an employee leaves a company? What security risks should businesses be aware of after an employee leaves (either voluntarily or otherwise)? Taking action following a change in staff is important for every company, but small and micro businesses may need more help. Many smaller businesses rely heavily on technology but aren’t big enough to support full time IT employees or departments, so may not know best practices for computer and data security.
While it’s best if your company has security processes in place before an employee leaves, in the event that they aren’t implemented, there are a few steps the company should immediately take.
- Deactivate the employee’s computer and accounts. Ideally, this should be done immediately upon termination. Change passwords for accounts they had access to, including conference lines and building codes. If you wait too long to do this, the ex-employee may have time to access company information to destroy, compromise, or steal from a remote site – even if their computer and other company devices have been confiscated prior to their departure.
- Collect all company devices, including computers, cellphones, tablets, security cards, credit cards, company manuals, and any other sensitive material or anything that provides access to that information. Preferably, this should be done before the employee leaves the office for the last time. The longer it takes you to deactivate accounts and computers, the more time an employee has to alter information (like file creation dates), completely delete files (evidence of misconduct or theft), or commit fraudulent acts (entering new data, loading new software, moving data). For the safety of your employees, it may also be advisable to change the locks and security access codes.
- Debrief the employee on confidentiality. If the employee signed a non-disclosure, non-compete, or non-solicitation agreement, review the document to make sure the employee is clear on their obligation not to reveal information on the company. Now that you’ve taken care of the immediate needs of securing your company’s information, you can focus on implementing some security structures that will not only better protect your business, but will also make your life easier the next time an employee leaves.
- You need better control of your passwords. How many passwords do you have between your personal and work life? My guess is that it’s more than you even realize, and ideally each of those accounts should have a strong, unique password. Unfortunately, that is too much for most people to remember and we end up writing our passwords on sticky notes or Word documents saved on the computer. This is a habit you and your employees need to break. Keep your passwords somewhere where you, and only you, know where they are and have access to – a password manager, an encrypted file, or a similar system that works for you. Make sure it is a place you can store unique passwords for each account and keep track of them. Now that all your passwords are in one, safe location, shred those Post-Its or delete the unsecured Word document. Finally, if you haven’t already don’t so, go through your accounts and make a unique password for each of them.
- You need better passwords. Speaking of passwords, they should be stronger. Hackers use computer systems that are able to recognize the “tricks” humans are likely to use to try to make better passwords. Use a complex combination of capital and lowercase letters, numbers, symbols, and if possible, stay away from dictionary words. Using a password generator that creates random, long passwords is the ideal solution.
- Your password isn’t safe if you give it away. Although account sharing can be convenient, it’s not worth the risks. It makes the company more vulnerable to attack since accounts are accessible by multiple employees (who may or may not have clearance to the information they are accessing). In general, it is important to know who has access to what information, when, and from where. If something unfortunate happens to the company, like theft or leaked information, there will be no way of telling which employee is responsible. If you give out the password to the wrong person and they cause damage – physical or reputation – you may be liable, which leads me to my next point.
- Maintain information on employee access and perform frequent audits. Set up a system that requires employees to use unique passwords to gain access to their accounts and information – ones that make it difficult to share password information. Access rights vary because of different security levels, job descriptions, and locations across the network. Maintain a secure database that keeps track of each employee’s access level, what they have access to, and passwords associated with that access. When an employee leaves, use this to create a checklist that their supervisor can use to disable their access rights, and limit their error in doing so. Perform audits on accounts and enforce a strong password policy that requires that they are changed frequently. And remember, threats don’t always come from the outside – there can be intentional theft, lost or stolen devices, or accidental exposure. The more you are aware of what information is where and who has access to it, the more equipped you will be to handle a disaster.
- Separate personal and financial data. Implement network segmentation to restrict inter-systems access. Set permissions within your network so that employees only have access to information as needed to do their job.
- Last but not least, educate your employees. Develop an effective educational system that informs employees about the dangers of password and account sharing. Explain why security is important and essential to the functions of the company, and how they can contribute to the security through their everyday actions.
Though there is an upfront investment in taking the time and effort to put better security measures in place, the return on investment is massive when mitigating the likelihood of incidents with departing employees, which can cause untold damage to company assets and reputation.
You must be logged in to post a comment.