Update 4-April-2013: The report initially linked to in this story has been removed by the US Department of Defense. Presumably a modified version will appear at the same URL, as so the link has been left in place. Warning, the contents may have changed...
On March 26th, the Inspector General released a report on the effects of BYOD (bring your own device) on the U.S. military.
Among the report's findings:
- Mobile devices were not secured to protect stored information.
- The US Department of Defense (DOD) did not have ability to wipe devices that were lost or stolen.
- Sensitive data was allowed to be stored on commercial mobile devices acting as removable media.
- DOD did not train users and did not have them sign user agreements.
- The Army CIO was unaware of more than 14,000 mobile devices used throughout the Army.
This from an entity that seems to have policies and regulations for everything.
The Army did implement a good policy regarding geotagging a while back, realizing the risk that came with soldiers taking pictures that automatically had location information embedded in metadata.
However, given the lack of management of the devices, how would the military know for sure that the geotagging has been disabled?
And if the United States Army, with all the endless policies, is having a difficult time with BYOD, how is a small or medium-sized business going to cope?
Why does this all matter?
Answer: Data loss. Stolen data is massive business for the bad guys. A phone left in a cab or at an airport can be a goldmine of sensitive information. Consider the case of the US Secret Service contractor who left two tapes of sensitive data on the DC Metro train.
What crook wouldn't have loved to have gotten a hold of two databases full of juicy personal information of agency employees, contractors and possibly informants? It's just another example that even the most "security conscious" people have forgetful moments, or moments of distraction and can easily leave something behind.
Last year, Sophos did an informal study and found that 42% of lost mobile devices aren't protected with any security measures.
Now of that number, 20% had access to business email, which could contain confidential information. Small businesses are even more at risk - just because you are small doesn't make you less of a target.
We have written several articles about handling smartphones in a business before and have provided some sage advice within about how to implement BYOD, but how do you create a BYOD policy?
Where's the best place to start? Sophos CTO Gerhard Eschelbeck outlines the following tips in a recent whitepaper.
7 steps to a BYOD security plan
- Identify the risk elements that BYOD introduces. Measure how the risk can impact your business and map the risk elements to regulations, where applicable.
- Form a committee to embrace BYOD and understand the risks, including business stakeholders, IT stakeholders and information security stakeholders.
- Decide how to enforce policies for any and all devices connecting to your network including mobile devices (smartphones), tablets (e.g., iPad) and portable computers (laptops, netbooks, ultrabooks).
- Build a project plan to include these capabilities:
- Remote device management
- Application control
- Policy compliance and audit reports
- Data and device encryption
- Augmenting cloud storage security
- Wiping devices when retired
- Revoking access to devices when end-user relationship changes from employee to guest
- Revoking access to devices when employees are terminated by the company
- Evaluate solutions. Consider the impact on your existing network and how to enhance existing technologies prior to next step.
- Implement solutions. Begin with a pilot group from each of the stakeholders' departments. Expand pilot to departments based on your organizational criteria. Open BYOD program to all employees.
- Periodically reassess solutions. Include vendors and trusted advisors. Look at roadmaps entering your next assessment period. Consider cost-saving group plans if practical.
Regardless of how big or small your 'army', securing your organization's devices and the data on those devices is at the front line of maintaining a strong IT security defense.