Story image

Achieving uncompromising security without compromising privacy

01 Feb 2019

Article by Bitglass APAC head David Shephard 

Today’s employees expect to be able to use their personal mobile devices for business purposes.

This is helpful for the enterprise because allowing staff to perform their work duties from anywhere (at any time) enhances organisational efficiency, flexibility, and collaboration.

However, this approach to working can also be unhelpful since enabling ‘bring your own device’ (BYOD) in an unsecured fashion can introduce a number of security concerns.

While data security needs to be prioritised in the era of BYOD, pursuing it carelessly or overzealously can impede the productivity, freedom, and flexibility that organisations are working to enable.

This is an age where it is critical to achieve comprehensive cybersecurity without invading users’ privacy, hindering their mobility, or impeding their efficiency.

Naturally, this raises a question about how organisations can best accomplish this.

In their quest to protect corporate data on personal devices, most organisations turn to mobile device management (MDM) or mobile application management (MAM).

These security tools require the installation of agents on all employees’ personal devices so that IT can keep an eye on the corporate data on said endpoints.

Unfortunately, in this agent-based approach, all personal traffic on the device is also monitored.

This includes users’ private banking activity, social networking, and a whole host of other information that is irrelevant to the enterprise.

At the outset, setting up and maintaining MDM is a logistical headache.

First, IT teams have to install the software across hundreds to hundreds of thousands of devices – then they have to make sure that all agents are regularly updated and maintained.

This endeavour is hindered by the fact that employees tend to resist agents because they can invade user privacy and harm device functionality.

A recent experiment by Bitglass tested the extent to which an unscrupulous member of the IT team could potentially monitor and control a personal device without the owner’s knowledge. The study found that, by routing traffic through the same proxies used to manage devices, it’s possible to capture any browsing activity and even transmit login details back to the company in plain text.

It’s also possible to monitor outbound and inbound communications, force GPS to remain active to track locations and out-of-work habits, and remotely restrict device functionality.

If an employee were to change jobs, a company could implement a full device wipe, meaning that all data (personal contacts, photos, videos, and more) would be erased.

Times are changing, and people are increasingly concerned about the extent to which their privacy is being compromised.

With the rise of data protection regulations and the constant barrage of breaches in the news, it is sensible that privacy is a concern for both organisations and their employees.

Consequently, it came as no surprise when a study found that more than half of employees choose not to participate in their companies’ BYOD programs because of privacy concerns.

All too often, IT managers are forced to choose between having too much visibility (and invading user privacy) or having weak data and threat protection for BYO devices. Obviously, this dichotomy is not ideal.

Instead of buying into the status quo, organisations must implement a comprehensive, agentless security solution designed for BYOD environments.

These types of solutions are focused on securing corporate data wherever it goes – not locking down the devices that are used to access said data.

In light of the growing employee backlash over agent-based tools in BYOD environments, agentless technologies are more needed than ever before.

Fortunately, with agentless cloud access security brokers (CASBs), organisations can rest assured that their BYOD programs are properly secured.

While employee training and education are key components of any cybersecurity strategy, the enterprise must also leverage adaptive security technologies that can protect the growing number of attack targets (cloud apps and devices) from evolving threats.

With data-centric security, companies can thoroughly defend their sensitive information while still enabling employee productivity and flexibility.

Achieving uncompromising security without compromising user privacy creates a win-win situation for both enterprise and employee.

Veeam releases v3 of its MS Office backup solution
One of Veeam’s most popular solutions, Backup for Office 365, has been upgraded again with greater speed, security and analytics.
Too many 'critical' vulnerabilities to patch? Tenable opts for a different approach
Tenable is hedging all of its security bets on the power of predictive, as the company announced general available of its Predictive Prioritisation solution within
Industrial control component vulnerabilities up 30%
Positive Technologies says exploitation of these vulnerabilities could disturb operations by disrupting command transfer between components.
McAfee announces Google Cloud Platform support
McAfee MVISION Cloud now integrates with GCP Cloud SCC to help security professionals gain visibility and control over their cloud resources.
Scammers targeting more countries in sextortion scam - ESET
The attacker in the email claims they have hacked the intended victim's device, and have recorded the person while watching pornographic content.
Cryptojacking and failure to patch still major threats - Ixia
Compromised enterprise networks from unpatched vulnerabilities and bad security hygiene continued to be fertile ground for hackers in 2018.
Princeton study wants to know if you have a smart home - or a spy home
The IoT research team at Princeton University wants to know how your IoT devices send and receive data not only to each other, but also to any other third parties that may be involved.
Organisations not testing incident response plans – IBM Security
Failure to test can leave organisations less prepared to effectively manage the complex processes and coordination that must take place in the wake of an attack.