How to Ensure Your 'BYOD' Doesn't Promote a Cyber Attack
Imagine Having a Stranger Inside Your Home for Six Months Before You Even Notice?
Creepy? Yep. That’s what hackers to do companies. They weasel their way into networks and stay there for months, collecting private data, before the company knows they are there.
Businesses are coming to realize that they can no longer keep hackers at bay with current (old?) technology. Things need to be stepped up a few notches, and many companies may be turning to guerrilla warfare from within their networks in an effort to fight back.
Last week, US insurer Anthem became the latest victim. Anthem, the second largest US health insurer by market value, said hackers obtained data on tens of millions of current and former customers and employees in a sophisticated attack. The information stolen includes names, birthdates, Social Security numbers, medical IDs, street addresses, emails, and employee data, including income.
The Anthem breach is the biggest in the healthcare industry since Chinese hackers stole Social Security numbers, names and address from 4.5 million patients of Community Health Systems, the second biggest for-profit hospital chain, last year. The Anthem attack is on a similar scale to hacks of customer data from Target and Home Depot last year in terms of the number of people affected.
Worldwide spending on IT security was about $90 billion last year. It is estimated that cybersecurity spending on critical infrastructure alone, such as banks, energy and defence, will reach $140 billion by 2020.
One thing that is transforming the landscape is that corporations allow employees to use their own mobile devices, phones and tablets, at work. Employees are also able to access services like Facebook and Gmail from their office computers. All this offers attackers extra opportunities to gain access to a company’s network.
The Bring Your Own Device (BYOD) phenomenon isn’t just limited to North America, nor exclusively to large organizations. Globally, a staggering 89% of IT leaders from enterprise and mid-size organizations support BYOD in some form. And 69% view BYOD as either somewhat or extremely positive. These are very high numbers. Organizations around the globe are embracing BYOD and this will have profound implications on how an organization provisions devices, controls network access, and fights cyber-crime.
To keep up with the growing trend, a successful BYOD policy needs to be implemented carefully, boosting positive outcomes and mitigating risk.
Control Level: With employees accessing the organization’s network with their personal devices, it’s essential that the organization maintains a level of control over who has access to its network and data.
Ownership & Disclaimer: Your BYOD policy needs to state clearly who owns the data that is stored on employees’ devices, and what can be done with that data. It should be very clear that the organization owns the data and has the ability to remove the data from the device.
Lost or Stolen Devices: An organization’s policy should clearly state what happens if a device is lost or stolen. The employee should immediately notify the organization, and the organization has the right to wipe all data.
Privacy Expectations: Your organization’s policy should disclose the extent to which the employer will have access to employees’ personal data and emphasize that the organization cannot guarantee employee privacy for those who chose to opt to BYOD.
Compliance with the Law: Your BYOD policy should address general compliance with laws and regulations specific to your industry.
Cost: Your BYOD policy should be clear on any expectations regarding after-hours use to prevent wage claims.
Confidentiality: Your organization’s BYOD policy should reiterate that employees must abide by all company policies related to the organization, client and vendor information.
Employee Consent: As with any organizational-wide policy, it’s recommended that the organization gets its employees to attest to the BYOD policy in writing.
Employee Termination: Your policy should clearly state what procedures happen in the event of employee resignations or terminations, in terms of BYOD devices and the data stored on them.
Cyber attacks are just another reminder of the persistent threats we face. The future is seeing more attacks against healthcare companies as these are repositories of personal information that can be used for all kinds of fraud. Social Security numbers are the worst kind of data to have stolen, because they are difficult to change and are used pervasively, especially for access to medical care, government services and opening new lines of credit. Guess what, we do that on our mobile devices.
What does your BYOD policy look like? How strong is it? Is your organization under threat from a cyber attack? What does your cyber attack prevention program look like?