All those smart phones and tablets under the Christmas tree inevitably mean a lot of new devices on the network – and plenty of accompanying security risks.
Got a shiny new tablet for Christmas that you just know will make life at work easier? Not so fast, especially if you're a government employee.
While a number of agencies are testing out bring-your-own-device programs, and some have policies in place, BYOD remains in a cautious early phase. But whether the users are in the public or private sector, the post-holiday surge in new smart phones and tablets inevitably means a lot of new devices on the network – and plenty of accompanying security risks.
"When new devices go on the network, they provide new angles for malicious activity both on the network and in government data," said Faisal Iqbal, systems engineering director for public sector at IT firm Citrix. "The first key thing is to have a policy that will either physically allow or prohibit certain devices. If there's no policy, users will try to get on the network and try out their devices, and may expose vulnerabilities in the network or VPN and potentially cause a breach. Policy is key to understanding what employees are allowed and not allowed to do."
Having rules in place is critical, but challenges still remain. At the federal level, there can even be conflicting policies, as well as competing priorities.
"With senior leadership, they want things now, they want [the device] fast, and they want it to be able to do what they want it to do, not necessarily what the policy wants it to do," Maj. Linus Barloon, chief of cyber operations division in the J3 directorate and cyberspace officer in the Air Force's White House Communications Agency, said at an AFCEA mobility event in November. "We have to understand our user environment, where we have users to support that are military so we have to follow the [Defense Department] policies. But we also have users to support following federal policies, such as with the Secret Service and [the White House]. When I look at the environment from my perspective, it's very blurry."
To help clear things up, particularly as agencies and companies begin to see a wave of new devices on their networks, there are steps that can be taken to mitigate risk while still yielding mobility's benefits, including increased productivity and cost savings.
For one, old devices should be taken off the network.
"We've noticed movement immediately, across all of our numbers, of new-device registrations going up around and just after Christmas, and staying up for weeks," said David Lingenfelter, information security officer at Fiberlink Communications, a mobile and security management company. "We're seeing a lot of new devices put on the network in addition to existing ones, but we're not seeing the removal that we should be seeing. There needs to be more education about removing and wiping devices and corporate information."
Failure to wipe the devices means that adversaries could gain access to whatever may have been used on that phone – an iTunes account, banking information or other sensitive data.
Some other tips Lingenfelter offered:
- Have your IT department configure your new device to get your corporate data. An enterprise mobility management solution can automatically push down your corporate email, applications and documents. If you don't have an EMM solution, ask your IT department to assist with the set-up.
- Extract personal data from your device. Now that your corporate data has been transferred to the new device, save all personal files from your old device. This can be accomplished with the native tools and back-up services of the operative system or the manufacturer, such as Apple's iCloud or Google Drive.
- Erase all remaining personal and corporate data. Fully decommission the old device by removing all personal and corporate data. Make sure to delete all data.
- Don't forget to wipe, if necessary. The factory data reset function on an Android or the reset function on an iPhone or iPad are a good way to wipe all data before retiring a mobile device, or passing it on to another family member. Remember to check with your IT department prior to performing a reset if you are enrolled in a BYOD program.
- Don't forget about the SD card. This can be a common oversight, and it's important to remember that some mobile devices are configured to save data on an SD Card, which can contain sensitive information. When you deactivate a phone, any SD cards should be removed.
Looking beyond the incorporation of new devices, containerization features that keep work and personal apps separate are gaining momentum in the federal government, and the concept of guest networks that allow carefully managed access is beginning to gain traction.
Whatever the policy, it is worthwhile to find a way to make some form of BYOD work.
"Not creating policies means losing out from a productivity perspective. And it allows agencies to forgo costs of purchasing on the government's dime," Iqbal said. "Folks bring in pre-configured devices, keep in touch, work from anywhere and really change the face of the agency that has adopted mobility. It's a way to save costs and increase productivity literally overnight – it's an opportunity."
NEXT STORY: IG nominee faces 'warring camps' at DHS