Several new trends in information access are impacting organisations’ ability to control and secure sensitive corporate data. The increase in web applications, cloud computing and SaaS services and the bring your own device (BYOD) phenomenon means employees, business partners and customers are increasingly accessing information using a web browser on a device not owned or managed by the organisation.
According to a recent survey by Harris Interactive and ESET, more than 80 percent of professionals use some kind of personally owned electronic device for work-related functions. One of the primary advantages in allowing employees to use their personal devices for work is that it increases efficiency and flexibility.
By giving access to the corporate network and information, work can be achieved anywhere and anytime, using any endpoint. It also provides cost savings to organisations, since personal device usage means they don’t need to provide or manage mobile devices for their employees.
The survey also highlighted that 47 percent of employees use personal desktop computers to access or store company information, while 41 percent do this with personal laptops, 24 percent with smartphones and 10 percent with tablets. However, with less than half of these devices being protected by basic security measures, organisations should be concerned that the security challenges associated with BYOD far outweigh the benefits.
BYOD: beyond smartphones
Corporate data is delivered to devices that are not managed by the IT department, which has security implications for data leakage, data theft and regulatory compliance and therefore is a major challenge for organisations. With unmanaged devices, enterprises have less control, visibility, and mitigation options. BYOD includes more than just smart phones.
It also includes employees logging into web applications such as Outlook Web Access and SharePoint, SaaS applications such as CRM systems or healthcare billing applications hosted in cloud services from a home desktop or laptop computer. Laptops, smart phones and tablets that connect to corporate networks significantly increase threats to sensitive data.
Organisations should therefore be concerned about the security state of endpoint devices and the risks to which they are exposed. Keyloggers, malware and cyberattacks have greatly increased the potential for unauthorised access to, and information theft from, endpoints. The potential consequences such as such as data leakage and malware reinforce the need to enhance the security of corporate data.
A malicious employee can easily steal company trade secrets, intellectual property or sensitive customer information by saving it locally or to a cloud service, sending it through accounts in Dropbox and YouSendIt or emailing it via a personal Webmail account. Organisations must control the data after it’s delivered to the device in order to prevent accidental or intentional loss by careless and malicious end users.
Futhermore, with the combination of web, cloud-based and SaaS applications with BYOD, web browsers have become the common interface for accessing information that drives business activity. Many organisations may not be aware of how pervasive the use of browser-based file sharing applications has become. And therefore organisations need to also establish a strong security strategy to embrace this web browser-based information access model in a suitable manner.
Mobile device vulnerabilities
Malware is increasingly being written to collect information and users who are installing a variety of applications, including games and social networking apps, on their mobile devices, can potentially be putting their data at risk. With access to the corporate network through unmanaged devices, a careless employee can inadvertently leak information simply by saving a file opened from Webmail or SharePoint to their local file system, which can then easily be stolen by a malware application designed to access the SD card on the mobile device.
Malware written for mobile devices is an increasing threat, mainly for Android but also for jail broken iPhones. In much the same way Windows’ larger market share attracts a greater number of threats than Apple or Linux, Android’s growing market share is attracting an increasing number of mobile malware threats. And unlike the iPhone’s proprietary system, Android’s open platform makes it much easier for developers to write malicious applications.
While most organisations would agree that allowing employees to use mobile devices is critical to helping them meet their business objectives, they must handle the data security challenges that come with BYOD. To safeguard corporate data from both external and internal threats, organisations need to take proactive steps to ensure that every mobile device that accesses the corporate network has the appropriate security controls installed.
Traditional versus new
It’s no surprise IT professionals are struggling to secure corporate data. Nearly every enterprise today has a range of security technologies, such as authentication, SSL and TLS encryption, firewalls, identity and access management and intrusion prevention systems to control and protect information traveling to and from the data center and endpoint device. Yet these traditional security strategies are increasingly under attack.
For example, the recent Flame malware, whose purpose is to steal data, keystrokes and record conversations, had a fake certificate and used a technique called hash collision to impersonate Microsoft’s update servers. Other technological problems with SSL, such as the challenge of picking random numbers to generate certificates, makes it easier to compromise security. Enterprise web, cloud and SaaS applications are delivering sensitive data securely through this SSL-encrypted tunnel, but upon delivery at the endpoint the data is decrypted and vulnerable to internal and external threats from malware and end users.
IT professionals need visibility into endpoint security to ensure all security gaps are covered. For example, even if antivirus software is current, it’s not effective against malware such as man-in-the-browser (MitB) attacks. MitB malware sits in the web browser between the user and the website, altering and changing information without the user or standard security software detecting any problems. This malware has spawned a variant known as man-in-the-mobile, which operates on mobile devices in a similar manner. MitB and MitM malware can also steal user login and password credentials, putting web-based corporate data at risk.
Protect your most sensitive data
It is clear organisations need to educate their end users. Many data leaks caused by insiders are due to careless, not malicious users. Ensure that employees understand security policies and take the proper security precautions.
To counter sophisticated threats, organisations should also employ a layered security strategy that provides access to corporate information, reduces risk and maintains compliance. When it comes to sensitive information, the focus must go beyond authorised and unauthorised users and extend data protection from storage through transport to delivery on the endpoint to prevent sensitive data loss.
Organisations need to stop making a distinction between devices in the corporate network and devices outside of it, and focus instead on protecting their information. They must compartmentalise access to sensitive information, employ better audit logging and log analysis, and deploy security solutions that are designed to support current BYOD strategies, such as those that can control the replication of data.