The theft of sensitive data costs the US and UK economies tens of billions or more of lost revenue, according to the Information Security Forum. In this connected, mobile business environment, the conduits for data theft can come in various forms; one of the most prevalent being insecure, open and unmanaged smart phone or tablet devices, courtesy of the growing Bring Your Own Device (BYOD) phenomenon.
Companies are becoming increasingly concerned about the risks these devices pose to the confidentiality, integrity and accessibility of their sensitive enterprise data. The way to manage this is to ensure that the right person is accessing the right information on the right device and that access can be prevented in the case of loss, theft, or when an employee leaves the organisation.
Yet despite rising security risks associated with the BYOD trend – which allows employees to bring and register personal devices to the corporate network – companies are increasingly adopting it as a policy because they can see the cost saving, flexibility and ease of use benefits.
However, many firms have no way of knowing or recognising an unauthorised device registered to their network, leaving data open to compromise. In the event of a breach, companies may have to answer to the Information Commissioner’s Office (ICO) who can impose hefty fines on firms that do not comply with the latest security mandates, in addition to dealing with the cost to the business itself.
Implementing identity and access technology will help companies overcome the latest BYOD, regulation and compliance challenges. This technology provides known and trusted individuals with a set of credentials – their unique ‘digital fingerprint’ that is then issued to mobile devices. The most effective approach for this today involves two factor authentication – ‘something I have’ (typically a physical smart card or security token) and ‘something I know’ (a PIN).
Large companies guarding vast amounts of sensitive data have traditionally been the first to implement this technology. However, SMBs are shying away from this approach because of the upfront costs of issuing and deploying physical smart cards and smart card readers. With often restricted IT budgets, many SMBs simply forgo security at the end point – the device, sticking instead to insecure passwords. With, 275 businesses in Europe having lost a combined 72,000 laptops over the past year, this is a very risk security strategy.
However, the launch of Windows 8 offers a new promise to SMBs looking to seize the benefits of identity management and two factor authentication without the associated costs. The Windows 8 release introduces the concept of a virtual smart card (VSC), which makes use of the TPM (trusted platform module) – a dedicated secure hardware processor built into the majority of PCs available today. TPMs secure the virtual smart card, binding it to the device, and offers security benefits similar to a physical smart card, without the inconvenience of having to plug one into a smart card reader.
While the VSC approach exists with Windows 8 devices, mobile credentials provisioned to VSCs still need to be managed from issuance to end of life. This means SMBs must be able to be issue them to a known user on a known device, reset, revoke and recover identity credentials in the advent of loss or theft of the machine.
When considering implementing mobile credential management solution, the support of multiple platforms and devices such as Android, Blackberry, Apple and Windows in a BYOD environment is also a key factor to consider. Furthermore, ease of use for both employees and the business is a must. Features that enable credentials to be issued via Near Field Communications (NFC) technology and managed via a secure app on the device would help ensure usability and therefore, maximum impact.
In order to benefit from the BYOD trend without leaving data vulnerable, SMBs must implement a robust security solution that has at its heart two factor authentication and mobile credential management. This security is no longer a nice to have but a necessity for firms who want to avoid the reputation, IP and ICO fine cost to the business from data loss or theft.