With so many employees bringing their personal devices to work, more and more employers are concerned about the security threats posed by these devices. They look to their IT departments to assurance of cloud security and stability, but is IT promising more than it can deliver?
The Challenge
The “bring your own device” (BYOD) trend has been growing for a number of years. It’s kind of like the digital version of “bring your child to work day.” But, unlike the latter, the former is introducing serious challenges to corporate networks. A recent Netskope report shows that 88 percent of cloud apps used in a BYOD environment aren’t safe or “enterprise ready.”
About 15 percent of employee credentials are being compromised on the network, which then leaks data from the network and otherwise protected computers. In fact, the report finds that 25 percent of internal documents are being pulled form the cloud and shared with third parties.
These internal documents contain anything from internal contact lists to client files to sensitive corporate documents.
Liabilities And Threats
The liability issues are astounding. When internal proprietary files are involved, a question of patent, trademark, and copyright liability arises. Is the employee responsible for leaking the documents or is that the app developer’s fault? What is the legal remedy?
When a company is damaged because of a data breach, this computer forensics agency is often called in to help piece together the case, figure out where breaches took place, and how to close security holes. But, they also help with tracking and surveillance.
This is a problem most companies aren’t aware of. Even otherwise non-malicious apps can pull private location (and other) data and track users behavior and actions. When this involves confidential meetings and document sharing, this poses a serious security and legal problem. Computer forensics can find the apps that are spying and help companies remove or block them.
When the breach involves healthcare companies and protected health information, it may create a criminal liability issue. HIPAA laws protect clients’ and patients’ personal information. But, when that personal information is leaked, the company is at risk of being sued, or worse.
Finally, malicious apps represent the most obvious threat, as they can infiltrate a network through a compromised personal device and infect the entire network, including other users’ devices. Such attacks can be initiated by an unrelated third party or a competitor. In these instances, the malicious app or code injection threatens to bring down the company’s business operations.
The Solutions
All of the solutions will involve upgraded cloud security and an implementation of new best practices for non-enterprise apps. Netskope also advises companies to discover business-critical cloud apps, secure them, with multi-factor authentication, change the way users access the network (e.g. using single sign-on for business apps), devise audit protocols, watch for anomalies like unusual sharing or downloads.
Companies can also restrict or eliminate download abilities on the network, require duel-layered networks so that employees can access non business-critical apps in a “sandboxed” environment, or restrict access to internal documents so that employees must use vetted computers or undergo additional security procedures to access them.
About the Author:
Jared Stern is the CEO of Prudential Associates, a company focused on digital forensics and investigative technical project management. He has over 24 years of experience as a private investigator licensed by the Maryland State Police, executing and managing more than 2,000 computer-related investigations at every level, including clandestine activity monitoring in civil and criminal cases, recovery of stolen data and equipment, and computer forensics and eDiscovery on networks, desktop computers, laptop computers and cell phones. Additional responsibilities have included the detection of malware/malicious code and data recovery from damaged hard drives and other devices.
