BYOD: Three Lessons for Mitigating Network Security Risks in 2015

Not too long ago, organizations fell into one of two camps when it came to personal mobile devices in the workplace – these devices were either connected to their networks or they weren’t.

But times have changed. Mobile devices have become so ubiquitous that every business has to acknowledge that employees will connect their personal devices to the corporate network, whether there’s a bring-your-own-device (BYOD) policy in place or not. So really, those two camps we mentioned earlier have evolved – the devices are a given, and now, it’s just a question of whether or not you choose to regulate them.

This decision has significant implications for network security. If you aren’t regulating the use of these devices, you could be putting the integrity of your entire network at risk. As data protection specialist Vinod Banerjee told CNBC, “You have employees doing more on a mobile device and doing it ad hoc here and there and perhaps therefore not thinking about some of the risks that are apparent.” What’s worse, this has the potential to happen on a wide scale – Gartner predicted that, by 2018, more than half of all mobile users will turn first to their phone or tablet to complete online tasks. The potential for substantial remote access vulnerabilities is high.

So what can risk practitioners within IT departments do to regain control over company-related information stored on employees’ personal devices? Here are three steps to improve network security:

1. Focus on the Increasing Number of Endpoints, Not New Types

Employees are expected to have returned from holiday time off with all sorts of new gadgets they received as gifts, from fitness trackers to smart cameras and other connected devices.

Although these personal connected devices do pose some network security risk if they’re used in the workplace, securing different network-enabled mobile endpoints is really nothing special for an IT security professional. It doesn’t matter if it’s a smartphone, a tablet or a smart toilet that connects to the network – in the end, all of these devices are computers and enterprises will treat them as such.

The real problem for IT departments involves the number of new network-enabled endpoints. With each additional endpoint comes more network traffic and, subsequently, more risk. Together, a high number of endpoints has the potential to create more severe remote access vulnerabilities within corporate networks.

To mitigate the risk that accompanies these endpoints, IT departments will rely on centralized authentication and authorization functions to ensure user access control and network policy adherence. Appropriate filtering of all the traffic, data and information that is sent into the network by users is also very important. Just as drivers create environmental waste every time they get behind the wheel, network users constantly send waste – in this case, private web and data traffic, as well as malicious software – into the network through their personal devices. Enterprises need to prepare their networks for this onslaught.

2. Raise the Base Level of Security

Another way that new endpoints could chip away at a network security infrastructure is if risk practitioners fall into a trap where they focus so much on securing new endpoints, such as phones and tablets, that they lose focus on securing devices like laptops and desktops that have been in use for much longer.

It’s not difficult to see how this could happen – information security professionals know that attackers constantly change their modus operandi as they look for security vulnerabilities, often through new, potentially unprotected devices. So, in response, IT departments pour more resources into protecting these devices. In a worst-case scenario, enterprises could find themselves lacking the resources to both pivot and mitigate new vulnerabilities, while still adequately protecting remote endpoints that have been attached to the corporate network for years.

To offset this concern, IT departments need to maintain a heightened level of security across the entire network. It’s not enough to address devices ad hoc. It’s about raising the floor of network security, to protect all devices – regardless of their shape or operating system.

3. Link IT and HR When Deprovisioning Users

Another area of concern around mobile devices involves ex-employees. Employee termination procedures now need to account for BYOD and remote access, in order to prevent former employees from accessing the corporate network after their last day on the job. This is particularly important because IT staff have minimal visibility over ex-employees who could be abusing their remote access capabilities.

As IT departments know, generally the best approach to network security is to adopt policies that are centrally managed and strictly enforced. In this case, by connecting the human resources database with the user deprovisioning process, a company ensures all access to corporate systems is denied from devices, across-the-board, as soon as the employee is marked “terminated” in the HR database. This eliminates any likelihood of remote access vulnerabilities.

Similarly, there also needs to be a process for removing all company data from an ex-employee’s personal mobile device. By implementing a mobile device management or container solution, which creates a distinct work environment on the device, you’ll have an easy-to-administer method of deleting all traces of corporate data whenever an employee leaves the company. This approach is doubly effective, as it also neatly handles situations when a device is lost or stolen.

New Risks, New Resolutions

As the network security landscape continues to shift, the BYOD and remote access policies and processes of yesterday will no longer be sufficient for IT departments to manage the personal devices of employees. The New Year brings with it new challenges, and risk practitioners need new approaches to keep their networks safe and secure.

 

The Impact of Collaboration in Cyber Risk Insurance

Former FBI Director Robert Mueller once said, “There are only two types of companies: those that have been hacked and those that will be. Even that is merging into one category: those that have been hacked and will be again.” This is the environment in which risk managers must protect their businesses, and it isn’t easy.

Cyber risk is not an IT issue; it’s a business problem. As such, risk management strategies must include cyber risk insurance protection. Until recently, cyber insurance was considered a nice-to-have supplement to existing insurance coverage. However, following in the wake of numerous, high-profile data breaches, cyber coverage is fast becoming a must-have. In fact, new data from The Ponemon Institute indicates that policy purchases have more than doubled in the past year, and insiders estimate U.S. premiums at around $1 billion today and rising.

But is a cyber policy really necessary? In short, yes. As P.F. Chang’s China Bistro recently discovered, commercial general liability (CGL) policies generally do not include liability coverage to protect against cyber-related losses. CGL policies are intended to provide broad coverage, not necessarily deep coverage. Considering the complexity of cyber risks, there is a real and legitimate need for specialized policies that indemnify the insured against cyber-related loss and liability.

The fact is, cyber risk is a problem all its own. The cyber threat is pervasive, and attacks are increasing exponentially. Cyberattack trends are also shifting constantly. An attack can come from multiple directions and in multiple forms, targeting different information and outcomes: an attack launched by a hacker group intent on making a political statement, malware that enters the network through a third-party service provider to steal credit card information, or a data breach perpetrated by a trusted insider seeking competitive intellectual property (IP).

In this complex, dynamic threat landscape, the ability to accurately assess risk becomes a monumental undertaking. If we accept that every organization has been hacked or will be again, it’s clear that prior incidents are no longer relevant or legitimate indicators of a company’s risk. Similarly, stagnant security checklists required by many insurers are hardly representative of actual, ever-changing cyber risk. Traditional risk assessment methodologies that rely on these elements to determine pre-binding risk simply have no place in today’s world.

Risk Assessment for the Cyber Era

The industry needs assessment methods consistent with the changing threat landscape. That means real-time, active assessment of an entity’s entire business ecosystem including upstream and downstream threats, as well as the often overlooked insider threat. What this provides is a holistic understanding of an entity’s vulnerabilities, high priority risks and security maturity.

In the current cyber environment, it’s implicit that every organization will be the victim of a cyberattack and that there will be some cyber loss as a result. Thus, savvy underwriters are looking beyond mere ticks on a checklist to determine insurability; rather, they’re looking for security maturity and cyber resilience.

The more cyber resilient an organization, the faster it can identify a cyberattack, stop it and recover from the impact. Data loss is expected. It’s the severity of the data loss that will impact the company’s business, damage its brand and customer loyalty and erode investor confidence. Those organizations that can quickly and effectively minimize the risk and get back to business are generally considered a safer bet.

This is where organizations can realize the benefits of holistic cyber insurance assessment. All too often, critical data is uncovered after a breach occurs. By implementing a proactive risk assessment before an attack occurs, the organization can gain in-depth intelligence about its highest priority risks before an incident, not years later when it’s too late to do anything about it. A pre-binding assessment provides the right data at the right time to inform risk management decisions and align resources with an organization’s highest priority risks.

Additionally, organizations that adopt continuous proactive assessment and ongoing risk mitigation demonstrate mature security practices, which indicate an organization’s ability to return to regular operations faster following a cyber incident.

Partners Against Cybercrime

Historically, there has been an antagonistic relationship between the insurer and client, but in the wake of catastrophic data breaches, these two sides are now finding common ground. For instance, several insurance brokers today are requiring a holistic, pre-binding risk assessment before a company can receive a policy. This benefits both the insurer and the pre-insured by providing invaluable insights about the company’s security, often revealing unexpected weaknesses and new priorities. Some policies also tie risk assessment to financial incentive to encourage ongoing risk mitigation. This becomes a virtuous circle situation for the insured, as it gets the benefit of reduced premiums after risk maturity has been measured, which allows the company greater insight and the ability to be proactive about reducing security risks.

For decades, the bargaining power has been with the insurer. With a revised approach, and in keeping with the demands of today’s cyber landscape, the relationship between insurer and insured has become collaborative as both sides work together to identify and mitigate risk. In this way, cyber insurance becomes an avenue for companies to improve cybersecurity, not to simply offset risk.

U.S. Insurers Gearing up For Tech Growth

A study by Xchanging plc found that technology was the highest priority for 60% of respondents and an overwhelming majority, 86%, ranked it as their first or second priority. The survey also found that 67% of insurers believe their company’s IT budget will increase this year, with 44% saying it would increase significantly. The study, conducted at the Acord Loma Forum in May, found that 36% of respondents said it was most likely that big data would see an increase.

Looking Beyond Compliance When Assessing Security

For a long time now, security evangelists have railed against the dangers of relying only on checkbox compliance. They warn that if you focus too much on the list of requirements, you’re bound to miss risks that may not actually be covered in rules and regulations. That’s why organizations need to start evaluating effectiveness alongside these audits, in order to get a more holistic view into the systems they are assessing.

“Organizations are so focused on meeting the letter of the regulations and mandates that they lose sight of the risks that the individual controls in the mandates are intended to mitigate,” explained security consultant Brian Musthaler in a recent blog post.

It’s a theme revisited in a ComputerWorld article, which cited a survey showing that just 17% of organizations have what they consider a mature risk management program—i.e., one that goes beyond ticking off items on an audit list. The maturation to risk-based security, the article emphasizes, is “about a not so insignificant shift in objectives—from compliance to making systems more resilient to attack.”

The principle holds true not just when evaluating and shoring up in-house infrastructure. It also applies to how enterprises evaluate partners. As security organizations seek to find a sane way to measure the IT security stance of partners and vendors, the most common first step is to do it by following a requirements checklist or questionnaire, or by asking for an auditor’s attestation of compliance with some kind of standard. Assessment guidance from standards like the Statement on Standards for Attestation Engagements (SSAE) No. 16, ISO 27001, and FedRAMP all come to mind here.

Serving as a compendium of best practices, measuring against these standards can give good indicators of where to focus resources and are a good place to start your evaluation. The challenge is that while necessary, using these methods alone for assessing security risks is not sufficient. A company may be compliant with all the appropriate regulations and have excellent security policies but may be completely ineffective in the day-to-day implementation of these policies—rarely does a questionnaire ask how many compromised servers a provider is currently running on its network. Also, no matter how complete a checklist or audit is, its results are only a point in time reflection and can’t measure the dynamic nature of the risks it is meant to assess for the duration of the business partnership. Even if a penetration test or vulnerability scan is included as part of a vendor assessment, it cannot reveal issues that may appear the following week.

Complimenting an audit with a continuous evaluation of security effectiveness allows organizations to augment their view into the security risks of the extended enterprise. In addition to gaining visibility into the weaknesses of a network, a data-driven, evidence-based assessment can allow organizations to proactively mitigate new risks as they emerge and identify issues that a regulatory audit was not designed to catch. By taking these steps, organizations can move towards a mature, risk-based security model and away from the more simple checkbox mentality.