Poor BYOD strategy could result in enterprise data loss, warns ISF

Enterprises also likely to face increasing security threats to cloud data supply chains, big data

A poorly implemented BYOD strategy could result in accidental data disclosures due to a porous boundary between work and personal data, and as a result of more business information being held in an unprotected manner on consumer devices, warned the Information Security Forum.

"The potential risks include misuse of the device itself, outside exploitation of software vulnerabilities and the deployment of poorly tested, unreliable business apps. The question of who owns the device can also have legal ramifications on mobile device management and the remote wiping of devices should the need arise," ISF explained in a recent BYOD security report.

The ISF recommended that enterprises put in place working practices, usage policies and management tools to lessen the security risks from BYOD. Enterprises should create a BYOD framework that includes a device provision mechanism, as well as device ownership, corporate access and acceptable use policies.

Enterprises should provide employee training on device security and policies, as well as monitor device usage and enforce policy through disciplinary or financial sanctions. In addition, firms should employ technology such anti-malware protection, firewalls and storage encryption; enforcing complex passwords; and enabling remote maintenance, upgrades and device wipes through a mobile device management system, the forum advised.

ISF is predicting that enterprises will also face increased security threats to their data in the cloud, supply chain and big data.

"We recommend thinking about threats in the context of the most valuable resources in your organization, consider which threats are most likely to create significant risk and which could have considerable impact. Finally, share these threats and resilience based approaches to mitigating risk with senior management and other functions such as risk management, risk committees and business continuity planning teams," said Steve Durbin, global vice president of the ISF.

ISF warned that external attacks on the cloud will increase in 2013. While a number of enterprises are implementing strategies for cloud computing security and compliance, businesses still have a ways to go in certain areas, because many enterprises still do not know where they have cloud implemented across their business.

From structured and unstructured data within the network of enterprise PCs and servers to consumer-friendly smartphones, laptops and storage devices--that introduce new data management challenges--businesses can easily be overwhelmed by the risks posed by big data. Securing both the data inputs and big data outputs present a key challenge that can impact not just potential business campaigns and opportunities, but also have far reaching legal implications. 

ISF warned that enterprises could fall victim to information security incidents at their suppliers. From bank account details held by payroll providers to product plans being shared with creative agencies, enterprise data is increasingly spread across many parties. While the IT function can provide an inventory of all data they hold, it is difficult to do that throughout the supply chain, ISF noted.

For more:
- see ISF's release

Related Articles:
European, Canadian enterprises approach BYOD cautiously
Some executive-level BYOD advice from Down Under