Bring Your Own Network: Is Your Business Data Secure?
With the widespread adoption of BYOD (bring your own device) policies and remote work arrangements, employees are able to access company data from anywhere there's an Internet connection. Certain files and access points may only be available through a corporate connection, but in many cases, "bring your own network" (BYON) has become the new normal for today's workforce.
The benefits of being able to work without being tethered to one's desk are obvious, which is why employers have been increasingly supportive of BYOD and BYON in recent years.
"Individual users can easily set up their own access points with pretty standard technology and cheaper data plans," said Carlos Montero-Luque, chief technology officer of enterprise mobility management platform Apperian. "The convenience, lower cost and ease to set up one's personal network anywhere, anytime is very appealing to road warriors, even without deep technical expertise. Companies also benefit from the increased availability of their workforce, which is why they want to support and secure remote connection, rather than prohibit it."
Of course, you don't need to be an IT professional to realize that there are also some very serious security implications that come with BYON. It may be relatively secure for employees to log in to corporate programs from their password-protected home network, but public Wi-Fi hotspots and mobile carrier networks, as well as any data accessed through these channels, are unsecured. [Remote Workers' Success Starts With IT Support]
"With BYON, people are utilizing corporate data and applications that may or may not be secure," said Sarah Lahav, CEO of IT service management provider SysAid Technologies. "It takes everything that once lived happily in your secure corporate firewall and puts it at risk to hackers and viruses.[It also] allows employees to bypass corporate networks to access an array of services and applications that may have otherwise been prevented by IT."
"When an employee is on an employer network, they're far more inclined to follow legitimate company practices, but when they're on their own network or device, they're more likely to do personal things," added Tim Francis, enterprise cyber lead at Travelers, a provider of cyber insurance. "If they're accessing apps and software not vetted by the company, those [programs] are more likely to bring malware with them."
While banning BYON entirely may seem like the most logical way to keep company data as secure as possible, such a policy is difficult to enforce and simply doesn't make sense for most companies at this point. Today's employees have come to expect anywhere, anytime access to their work files, and Francis noted that offering BYON as an option may be important to employee satisfaction and retention.
In terms of practicality, productivity and business costs, it's better to allow BYON than restrict all outside access to corporate files and programs, Montero-Luque said. The question then becomes how to ensure that these external networks are being accessed in a secure way. Here are a few ways to balance the benefits and risks of BYON.
Before you set concrete rules for your BYON policy, you must first assess your company's current level of risk. Consider the networks and devices your employees use to access corporate data, and based on that, determine what security gaps need to be filled in.
"Take a look at how you currently address data protection," Lahav told Business News Daily. "Remember: You want to be protecting the data, not so much the device that it sits on. Ensure that your firewall can identify unapproved networks as well."
Francis advised having a series of conversations with your employees about BYON to help you determine what shape your policies should take. He also recommended speaking with your insurance provider to see if any of your current BYON risks can be mitigated with the right coverage, such as cybersecurity insurance.
"Your insurance coverage [should be] sophisticated enough to keep up with the fact that there could be compromises within the company network, but also on an employee's personal device transmitting data through a private network," Francis said.
Secured, targeted access
Implementing Virtual Private Network (VPN) access outside the corporate network is a smart, practical solution to some of the risks of BYON. Not all programs and applications an employee may use require an encrypted corporate connection, but determining which ones do based on your risk assessment can help you choose the right VPN solution.
"Device-level VPNs are both difficult to set up and inconvenient in terms of battery use, as well as unnecessary for things like basic personal browsing," Montero-Luque said. "The use of in-app VPNs via solutions such as app-wrapping enables easy, targeted encryption of sensitive communications."
Montero-Luque noted that encryption of data at rest in the device is also a key component of securing mobile-based content outside the corporate network. The use of tools to encrypt app data using certified encryption libraries, such as FIPS 140-2 certification, provides an additional layer of security that can be applied specifically to an app and its associated data.
Most importantly, consider your company's password management and login systems for corporate applications.
"Make sure that access to apps and content in a device for corporate use is limited to corporate identities that are subject to company-wide policies, such as password strength and change rules," Montero-Luque said. "The use of dynamic authentication policies extends these capabilities to deal with changes on those corporate credentials automatically and provides conveniences like shared authentication for wrapped apps and session timeouts for additional security."
Perhaps the most important thing any employer can do to protect itself and its data from out-of-network risks is to make sure employees have a clear understanding of BYON policies. Once you've figured out the best course of action for your company, be up-front with your staff and ensure they understand what can and can't be done on noncorporate devices and networks.
"What are the security questions from an IT, user and HR standpoint?" Francis said. "Understand what works, what can and should be done on a private network, and what must never be done on a private network. IT needs [the right] resources and tech solutions in place. Some things are too important to a company's bottom line to be allowed to be vulnerable and compromised in an unencrypted network."
"BYON is like anything in the world of IT — you need to ensure that you understand the security risks out there," Lahav added. "Take the time to understand and educate yourself on the dangers and how to protect yourself against them."
Originally published on Business News Daily.