Tag Archives: BYOD

Your Cybersecurity To-Do List

The king of rock and roll, Elvis, was famous for “Taking Care of Business” (the name he gave his band). But when it comes to your cybersecurity dashboard, do you have the right metrics and visibility to mount a proper cyber defense and take care of business? Or are your cyber optics just along for the ride?

No matter how many news stories about hacks, information theft and cyber espionage surface within your Facebook or Twitter feed, the idea that a major problem could happen to your organization sometimes remains just that, an abstraction. Many companies do not devote the proper resources to safeguarding their networks, even though the global cost of cybercrime will reach $2 trillion by 2019, three times the amount in 2015.

Don’t wait for cybercrime to find you — remember that the best defense is always a good offense. Maintaining a successful security strategy requires dedication and delivering on a strategy that supports all functions of an organization. Security is a company-wide issue, and quantifiable metrics not only unify language but also demonstrate success.

Keep Your Eyes on the Prize

Your team can’t catch what they don’t see. Sounds like a catchy song lyric, doesn’t it? Maintaining a comprehensive view of the entire organization means more than just access to networks and systems. It requires an understanding of typical user behaviors and data traffic patterns, plus an awareness of corporate protocols as they relate to remote users and servers.

Proper visibility throughout an organization necessitates laser focus on:

BYOD (Bring Your Own Devices) protocol and management: Most organizations have policies around personal devices brought from home. These may or may not be followed, so a closer eye on device usage throughout the organization is warranted.

Email traffic: Did you know that in the third quarter of 2016 alone, 18 million new malware samples were captured? Viruses via e-mail remain a top concern for security teams.

Social and internet traffic: It’s likely that most employees in your organization use social media, perhaps even to promote the business. Prevent them from becoming an avenue into committing fraud or damaging the brand.

See also: Security for Core Systems in the Cloud  

Unusual user behaviors: Understanding your organization’s user behaviors is key to spotting abnormal patterns. Communicate clear policies and expectations for employees and enforce compliance to avoid accidental missteps and catch genuine incidents.

Cloud applications and virtual servers: Internet-based applications create functional and productivity tools for an organization, but they put data at risk. Careful monitoring and protective firewall construction prevent easy access for hackers.

The Best Metrics: Keep It Simple

Create a security plan with goals that are understood and supported by the whole company. Measurement offers a clear and concise method of presenting critical information, so it’s important to measure the right statistics.

Communicate on stats and data aligned with business objectives to gain the support of your employees and create a common language that everyone can understand. Focus on answering the following questions:

How are we doing compared with our peers? In today’s business environment, understanding how successfully your organization prevents data loss or theft compared with other companies in your vertical provides a clear perspective on how your strategy is working.

How quickly are we able to respond to a breach? Your response plan to a potential security incident is a critical factor in recovering from a cybercrime. Remember, it’s not IF you are breached, it’s when. Recognition of an incident, isolation of a breach and recovery convey the crucial steps to preventing widespread loss of private data. Two of the effective security metrics Secure Anchor uses with our clients are “dwell time” and “lateral movement.” Dwell time answers the question, how long did it take you to find and contain a breach? Lateral movement describes how you were or were not able to prevent the cyber adversary’s movement throughout your network.

Are we getting better? Cybersecurity is never “done.” Regular audits of security processes and breach protocols provide the opportunity to improve and excel. Make sure your executive board is cognizant of the evolving journey.

Are we spending enough (or too much) money? Aligning security technology and human resources with return on investment can be tricky, but budget allocations are a realistic pain point for many security departments and must be addressed.

See also: 2018 Predictions on Cybersecurity  

Creating and maintaining a thorough view of an organization’s user, network and system traffic allows a security team to design a blueprint to a comprehensive security strategy. Communicating that plan and measuring its success require the right metrics to align IT with business and prevent widespread damage from information thieves.

Be a cybersecurity rock star. Just like any musician, you’ll have your big hits and your flops. But when you can see where you’re going, with the right visibility into your systems, you will be TCB, takin’ care of business.

Pokémon Go Highlights Disruptive Technology

If you hear employees talking about spending their stardust and candies, chances are they’re caught up in the latest pop culture fixation: Pokémon Go. The mobile phone game sensation has fans roaming the country with their handhelds out to capture the “Pocket Monsters” scattered virtually throughout the real world.

The kid in me chuckles at this innovative use of augmented reality (AR) technology. But my cyber risk side looks at AR and sees potential issues involving malware, privacy, data disclosure and employee safety.

Real-World Risks

Computer and online games become instant targets for malware, through such things as fake and cracked versions in app stores. Hackers could gain control over a phone and thus a wealth of data about its user. For companies with bring your own device (BYOD) programs, enterprise email accounts and other data could be exposed.

See also: Better Way to Assess Cyber Risks?

Of course, BYOD risks are not limited to Pokémon Go. For example, sensitive information can be exposed through employees’ social media postings and other activities.  But apps that are addictive and seemingly innocent can blind users to the risks of downloading.

AR technology combines elements of the digital and physical worlds into a single view, allowing data, text or images to be superimposed on a live video feed. In Pokémon Go, AR allows for the game map to align with a real-world map and players to find and even photograph their monsters in physical locations.

What if a Pokémon is located inside your company’s office? If a user shares a photo or screenshot of such a location, it poses a risk of inadvertent loss of sensitive company or customer information. And there are issues around invasion of privacy for people/places that don’t want to be involved in the game.

Managing Risk

As surely as Pikachu evolve into Raichu, technology like AR will morph and bring new risks. Businesses may try to block or limit employees’ access to AR and similar technology, but that may only provide temporary relief before the next threat emerges.

See also: Cyber Risk: The Expanding Threat  

So as with all cyber risks, when it comes to Pokémon Go, organizations should make sure they don’t focus only on prevention. Among the steps to bolster response and recovery, businesses can:

  • Educate employees about the risks.
  • Conduct regular cyber risk assessments and audits to identify threats and assets at risk.
  • Develop and test disaster recovery, business continuity and incident response plans in conjunction with law enforcement, regulators and others.
  • Purchase cyber insurance to deal with the inevitable risks that slip through the cracks.

AR and other disruptive technologies are here to stay, and promise to benefit companies and consumers. Risk professionals will need to be nimble as they manage the accompanying risks.

Your Device Is Private? Ask Tom Brady

However you feel about Tom Brady, the Patriots and football air pressure, today is a learning moment about cell phones and evidence. If you think the NFL had no business demanding the quarterback’s personal cell phone—and, by extension, that your company has no business demanding to see your cell phone—you’re probably wrong. In fact, your company may very well find itself legally obligated to take data from your private cell phone.

New Norm

Welcome to the wacky world of BYOD—bring your own device. The intermingling of personal and work data on devices has created a legal mess for corporations that won’t be cleared up soon. BYOD is a really big deal—nearly three-quarters of all companies now allow workers to connect with private devices, or plan to soon. For now, you should presume that if you use a personal computer or cell phone to access company files or email, that gadget may very well be subject to discovery requirements.

Security & Privacy Weekly News Roundup: Stay informed of key patterns and trends

First, let’s get this out of the way: Anyone who thinks Tom Brady’s alleged destruction of his personal cell phone represents obstruction of justice is falling for the NFL’s misdirection play. That news was obviously leaked on purpose to make folks think Brady is a bad guy. But even he couldn’t be dumb enough to think destruction of a handset was tantamount to destruction of text message evidence. That’s not how things work in the connected world. The messages might persist on the recipients’ phones and on the carriers’ servers, easily accessible with a court order. The leak was just designed to distract people. (And I’m a Giants fan with a fan’s dislike of the Patriots).

But back to the main point: I’ve heard folks say that the NFL had no right to ask Brady to turn over his personal cell phone. “Right” is a vague term here, because we are still really talking about an employment dispute, and I don’t know all the terms of NFL players’ employment contracts. But here’s what you need to know:

Technology and the Law

There’s a pretty well-established set of court rulings that hold that employers facing a civil or criminal case must produce data on employees’ personal computers and gadgets if the employer has good reason to believe there might be relevant work data on them.

Practically speaking, that can mean taking a phone or a computer away from a worker and making an image of it to preserve any evidence that might exist. That doesn’t give the employer carte blanche to examine everything on the phone, but it does create pretty wide latitude to examine anything that might be relevant to a case. For example: In a workplace discrimination case, lawyers might examine (and surrender) text messages, photos, websites visited and so on.

It’s not a right, it’s a duty. In fact, when I first examined this issue for NBCNews, Michael R. Overly, a technology law expert in Los Angeles, told me he knew of a case where a company actually was sanctioned by a court for failing to search devices during discovery.

Work Gets Personal

“People’s lives revolve around their phone, and they are going to become more and more of a target in litigation,” Overly said then. “Employees really do need to understand that.”

There is really only one way to avoid this perilous state of affairs—use two cell phones, and never mix business with personal. Even that is a challenge, as the temptation to check work email with a personal phone is great, particularly when cell phone batteries die so frequently.

The moral of the story: The definition of “personal” is shrinking all the time, even if you don’t believe Tom Brady shrank those footballs.

For further reading: here’s a nice summary of case law.