BYOD and Shadow IT Attacks
Modern times call for modern measures. BYOD (Bring Your Own Device technology) is one such modern measure. An organization without BYOD will not only be considered ‘outdated’ but will also be affecting its employees’ productivity greatly. Because BYOD is known for boosting employee productivity by allowing them to work from anywhere through the use of portable devices such as mobiles, laptops, tablets etc.,
What’s more? Just because your organization has not yet implemented BYOD officially but has been discussing supporting that technology and taking measures to that end, it doesn’t necessarily mean your employees aren’t trying to ‘unofficially’ access your office network by bringing their own devices (BYOD).
Shadow IT Attacks
Believe me. Your employees are not doing it out of spite or grudge they have against you. They just want to increase their productivity. Impress their bosses, get paid well and live happier lives. And what’s more lucrative than a laptop sitting idly which they can use 24/7 to access your network to start working and earning more. This thought could be so overpowering that you cannot really blame them for ‘unofficially’ using the ‘BYOD’ policy which you have been thinking long about implementing – but haven’t really done so.
Such unapproved use of solutions built (or being built) inside organizations without explicit organizational approval is known as Shadow IT attacks. They usually take place when someone uses a system which is being constructed – BYOD technology in this case – before it gets implemented officially, and usually ends up causing huge damage to the organization in terms of money as well as reputation. Because Shadow IT can compromise “highly sensitive data” belonging to the organization by exposing it to outsiders.
Let’s say, Shadow IT (attack) has taken place in your organization. So, how do you manage to mobilize your enterprise even after a Shadow IT (attack)?
Unique Problem needs an equally Unique Solution
Mobile security (or Wireless security) cannot be solved by desktop or network security solutions. Because these solutions are not equipped to handle mobile security. What you do need to solve this mobile security related challenge is an enterprise mobile management solution that integrates well with your organization and also helps you create as well as put into operation an efficient BYOD policy.
Professional enterprise mobile management solutions (like Comodo’s BYOD) will handle device onboarding, device related reporting, device related policy management/enforcement and other related things that ensure the portable devices your employees might be bringing into your network (like laptop, smartphones, tablets, etc.) stay safe and so does your company’s network to which these devices are granted access to, from threats and vulnerabilities associated with mobile (or wireless) security.
Getting a Good Enterprise Mobile Management Solution is Not Enough.
You should know how to enforce a good BYOD policy. Because this will not be done by your EMM (Enterprise Mobile Management). You should do it. You should know where to draw the boundary and at the same time ensure your employees don’t start thinking your policy is too stringent and might do with a bit of slacking. So you should take a “well-balanced yet secure approach” here. Below are some tips on doing the same.
1. Explicitly State What Devices Will be Permitted
First and foremost step when devising a BYOD policy. You should be deciding whether it is going to be a Bring Your Own iPhone policy or Bring Your Own Android policy? Make it clear to the employees as to what devices they can or cannot be using to access your network; in addition to the portable corporate devices you may have provided your employees to access your network.
2. Enforce Strong and Complex Password Policy
It is a common practice among users to set simple passwords which they can remember easily to their devices. However, you simply cannot allow such practice, as your employees will be accessing your network/data with their devices, and having such a simple password is like giving out an invite to hackers to come and hack your network. So you should make it clear to your employees that if they are to access your network using BYOD, they should be configuring strong passwords which are usually a mix of alphabets, numbers and special characters.
3. Decide What Apps Will Be Allowed or Banned
This policy should apply to all devices – whether corporate issued or personally bought, as long as it is used to connect to your network. Because your employee’s device holds your sensitive data, if they are allowed to download a software which poses security risks, then chances are your security might, in turn, get compromised. So you should exercise caution with the apps you allow or disallow your employees from downloading, installing and using.
4. Set Up an Employee Exit Strategy
Remember to unplug your exiting employees from your BYOD policy the right way. Any residual data on their devices can jeopardize your security. So you should have an effective employee exit strategy in place which ensures your exiting employees don’t carry anything which belongs to you with them while leaving the organization. A full ‘wipe out’ of employee’s phone is not such a bad idea but you should have clear methodology in place which ensures your employee’s personal data is not sacrificed and instead backed up somewhere safe.