SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Achieving uncompromising security without compromising privacy
Fri, 1st Feb 2019
FYI, this story is more than a year old

Today's employees expect to be able to use their personal mobile devices for business purposes.

This is helpful for the enterprise because allowing staff to perform their work duties from anywhere (at any time) enhances organisational efficiency, flexibility, and collaboration.

However, this approach to working can also be unhelpful since enabling ‘bring your own device' (BYOD) in an unsecured fashion can introduce a number of security concerns.

While data security needs to be prioritised in the era of BYOD, pursuing it carelessly or overzealously can impede the productivity, freedom, and flexibility that organisations are working to enable.

This is an age where it is critical to achieve comprehensive cybersecurity without invading users' privacy, hindering their mobility, or impeding their efficiency.

Naturally, this raises a question about how organisations can best accomplish this.

In their quest to protect corporate data on personal devices, most organisations turn to mobile device management (MDM) or mobile application management (MAM).

These security tools require the installation of agents on all employees' personal devices so that IT can keep an eye on the corporate data on said endpoints.

Unfortunately, in this agent-based approach, all personal traffic on the device is also monitored.

This includes users' private banking activity, social networking, and a whole host of other information that is irrelevant to the enterprise.

At the outset, setting up and maintaining MDM is a logistical headache.

First, IT teams have to install the software across hundreds to hundreds of thousands of devices – then they have to make sure that all agents are regularly updated and maintained.

This endeavour is hindered by the fact that employees tend to resist agents because they can invade user privacy and harm device functionality.

A recent experiment by Bitglass tested the extent to which an unscrupulous member of the IT team could potentially monitor and control a personal device without the owner's knowledge. The study found that, by routing traffic through the same proxies used to manage devices, it's possible to capture any browsing activity and even transmit login details back to the company in plain text.

It's also possible to monitor outbound and inbound communications, force GPS to remain active to track locations and out-of-work habits, and remotely restrict device functionality.

If an employee were to change jobs, a company could implement a full device wipe, meaning that all data (personal contacts, photos, videos, and more) would be erased.

Times are changing, and people are increasingly concerned about the extent to which their privacy is being compromised.

With the rise of data protection regulations and the constant barrage of breaches in the news, it is sensible that privacy is a concern for both organisations and their employees.

Consequently, it came as no surprise when a study found that more than half of employees choose not to participate in their companies' BYOD programs because of privacy concerns.

All too often, IT managers are forced to choose between having too much visibility (and invading user privacy) or having weak data and threat protection for BYO devices. Obviously, this dichotomy is not ideal.

Instead of buying into the status quo, organisations must implement a comprehensive, agentless security solution designed for BYOD environments.

These types of solutions are focused on securing corporate data wherever it goes – not locking down the devices that are used to access said data.

In light of the growing employee backlash over agent-based tools in BYOD environments, agentless technologies are more needed than ever before.

Fortunately, with agentless cloud access security brokers (CASBs), organisations can rest assured that their BYOD programs are properly secured.

While employee training and education are key components of any cybersecurity strategy, the enterprise must also leverage adaptive security technologies that can protect the growing number of attack targets (cloud apps and devices) from evolving threats.

With data-centric security, companies can thoroughly defend their sensitive information while still enabling employee productivity and flexibility.

Achieving uncompromising security without compromising user privacy creates a win-win situation for both enterprise and employee.