BYOD security: One password is not enough

Analysts for the cloud services provider Bitglass recently unearthed an immensely disturbing piece of data related to bring-your-own-device security: An estimated one-quarter of organizations maintain BYOD security protocols solely reliant on user-generated passwords. During the most recent Gartner Symposium in Orlando, Bitglass representatives connected with more than 200 information technology specialists and asked them to outline the BYOD data security policies in place at their respective firms. Approximately 28 percent said only passwords stood between cybercriminals and employee devices.

This trend is immensely disturbing on its own. Unfortunately, the analysts at Bitglass managed to scrounge up additional insights that point to further complications. For example, the firm found that 75 percent of respondents' organizations relied upon on-premises firewalls to protect their BYOD assets – a decidedly outdated and dangerous approach to enterprise mobile security, according to Info Security magazine.

"Enterprises often misjudge the effectiveness of traditional security solutions, many of which are readily bypassed," Rich Campagna, CEO for Bitglass, told the publication. "The BYOD boom exposes organizations to risks that can only be mitigated with data-centric solutions that secure access." 

Indeed, businesses with existing BYOD policies, as well as those considering implementation, must move away from antiquated password and firewall-based data security strategies and embrace more modern alternatives. What might those be? Here are some of the most effective BYOD data security methodologies in use today – approaches that go far beyond user-generated passwords and on-premises firewalls.

Implement encryption
Encryption is perhaps the most powerful method for protecting BYOD and the data that flows through them. Normally this involves encoding information so that only certain authorized entities can access it. For IT teams with limited resources, this may seem like a lot to ask. How can internal technical specialists go about implementing effective BYOD encryption? There are enterprise applications that allow just that, according to TechTarget. These solutions, called mobile content management systems, facilitate secure encryption  Most IT teams use MCM software in combination with mobile application management platforms, which give businesses the power to isolate sensitive data so it cannot be used by other applications, including Trojans that resemble legitimate mobile tools but in actuality are designed to siphon off data or implant malware.

Additionally, when searching for encryption software or services, organizations should pinpoint offerings that encrypt data at the disk level, ethical hacker David Howard told Digital Guardian. This means that every bit of information that enters on-board device disks and disk volumes is encoded so that it is undecipherable to hackers.

Address application usage
Enterprise mobile strategies are so immensely popular because they facilitate application usage in the workplace. These on-the-go portals have proven transformative in the consumer space, allowing smartphone users to streamline once time-consuming tasks like going to the bank or calling cabs. Now, businesses looking to achieve similar efficiency gains in the workplace are turning toward BYOD, supporting widespread mobile device and application use. Of course, most employees have welcomed this trend with open arms, seeking to simplify their workdays via smartphone applications and perhaps move upward within their respective firms or free up additional downtime. On the surface, the adoption of enterprise mobile applications seems like a win-win. However, the development poses serious data security risks.

"An estimated one-quarter of organizations maintain BYOD security protocols solely reliant on user-generated passwords."

Cybercriminals seek to take advantage of application-friendly employees and employers via fraudulent offerings harboring viruses and other nefarious assets. These individuals hope to entice users to download their bug-laden programs, which are designed to infect entire corporate networks and open up the data flood gates. Unfortunately, this sort of tactic is common in the hacking community. For instance, Apple was forced to remove more than 300 fraudulent applications in 2015 after numerous users experienced breaches, according to Wired.

For businesses, fraudulent applications carry disastrous consequences, as one single download could trigger the downfall of their networks or lead to the release of sensitive corporate, customer or employee data. For this reason, firms must carefully monitor application usage and put into place systems for preventing users from downloading fraudulent mobile tools, according to Identity Theft Resource Center. How? Training is the most powerful solution for addressing this unique issue. Internal IT groups should provide end users with the knowledge they need to avoid fraudulent applications. This is most effectively executed via the distribution of well-vetted best practices. Additionally, company technical specialists should encourage general scrutiny when navigating application stores, as mere minutes of research on the part of the user can save the organization millions.

Promote strong password strategy
While passwords alone cannot stave off modern hackers, effective ones can make unwelcome system entry more difficult and perhaps deter cybercriminals testing the enterprise mobile waters. Of course, most employees do not craft strong passwords. Earlier this year, analysts at password management firm SplashData reviewed more than 5 million randomized credentials found in underground online marketplaces. Nearly 10 percent of this login data contained ineffective passwords, ranging from '12345' to the ubiquitous 'admin,' a favorite of lazy web developers. In short, most workers cannot be trusted to string together effective passwords. With this in mind, internal IT must step in to offer assistance and promote established best practices for formulating credentials.

Data security experts have long offered effective password drafting advice that continues to hold up, even today. For example, most encourage users to focus on length – passwords between 12 and 15 characters are ideal – and making use evenly distributed special characters, Wired reported.

"Put your digits, symbols, and capital letters spread throughout the middle of your password, not at the beginning or end," Federal Trade Commission Chief Technologist and Carnegie Mellon University computer science professor Lorrie Faith Cranor told the publication. "Most people put capital letters at the beginning and digits and symbols at the end. If you do that, you get very little benefit from adding these special characters."

In addition to equipping employees with knowledge like this, IT teams should amend their own policies, most notably, those related to password updates. Traditionally, businesses have forced end users to swap their credentials every so often, believing these periodic changes will improve security. This is not the case. Administrators should allow workers to keep effective passwords in place, as the simple act of asking them to draft new iterations can lead to apathy and the appearance of fresh yet lazily-drafted credentials.

Moving forward with IT modernization
The Bitglass survey reveals that there is considerable room for improvement when it comes to securing enterprise mobile devices, which are slowly becoming the lifeblood of modern business. By the end of 2017, organizations worldwide will have put into place more than 3 billion new connected devices, according to research from Gartner. An additional 4 billion are likely to gain service in 2018. With these developments on the horizon, firms must ramp up their mobile efforts, including those related to device protection and management. That said, some companies may not be in a position to fully embrace mobile workflows or the security strategies required to defend them against hackers. For enterprises in this position, ground-up IT modernization might be required.

The team at Inventu Corporation can help with these efforts. Our innovative Flynet Viewer simplifies screen integration, easing the modernization process while meeting employer and staff expectations in a way that feels both familiar and simple. Review our product page to learn more about the Inventu Flynet Viewer and the other solutions in our extensive product portfolio.