Bring Your Own Device (BYOD) is becoming increasingly popular as employees have access to advanced consumer technology in their personal lives and understandably wish to replicate this in the business environment.
As a result organisations are worried about the security of business data being stored locally on privately owned devices. While this is a legitimate concern, in reality the same concern also applies to the organisations own devices; and there is a bigger threat – the credentials stored on mobile equipment. This was brought up in the recent X-Force document, a quarterly report on the state of cyber security published by IBM.
If a device is compromised, especially if it belongs to member of the senior business leadership team, usernames and passwords saved on it could provide access to sensitive data held on the corporate network. This could be anything from intellectual property to financial data all the way through to personal information.
This is a real risk, so how can it be dealt with? Below are solutions that represent a good starting point:
• Education – Many security breaches come from inside the company. This could be due to malicious intent or users simply not knowing what they don’t know. Mobile security is no different. Training is one way to reduce the chance of these situations occurring and regular refresher courses can decrease this further.
• HR policy – Some guidelines, such as using strong passwords, setting short time out periods and regular password changes can be rolled out as formal policies. And where appropriate employees can be made subject to disciplinary action if particularly important policies are not adhered to.
Of course besides managing people, technology can be also used to help minimise the risk. Relevant solutions include:
• Two factor authentication – Users can be forced to use a password and another method of authentication, such as a randomly generated one time pin, to get into an application/service.
• Splitting the device – Vendors are now offering software to separate the business and personal side of smartphones/tablets.
This part of the device contains separate company applications, and all data within it is encrypted.
• Central policy enforcement – The rules mentioned previously can be managed through appropriate tools such as MDM, EMM, etc. (see here for a fuller discussion of this).
The main point is that the risk of stored credentials is often overlooked or set aside in the name of convenience. No matter how much users grumble, however, it is a threat that needs to be taken seriously. By not protecting yourself from these dangers you could provide the first step for more severe security breaches.
For more insights from Freeform Dynamics on mobile management, visit here.