Author: Stephen Cox, Chief Security Architect and Vice President of SecureAuth
It’s the hangover security teams dread: the annual influx of holiday-gifted devices and their smiling owners. Welcome to the world of BYOD (Bring Your Own Devices). Employees are settling back into the office and bringing new devices they want to connect or use for work purposes with them. Smartphones, smartwatches, and tablets are always popular holiday gifts, but let’s call them what they are to corporations: foreign machines invading private networks. They’ve long been a concern of the vast majority of organizations, which has compelled many of them to adopt and enforce BYOD policies.
It doesn’t stop there. Internet of things (IoT) devices, unsanctioned software, and new applications can be difficult to keep off the corporate network, which can cause IT frustration and introduce a slew of new threat vectors. Attackers love insecure devices; they often accompany vulnerable users with access to sensitive corporate data and introduce new paths into the corporate network.
This creates anything but an easy start to the new year for enterprise security teams. Here are some top tips for staying safe and secure during this gadget-driven hangover.
1. Segment Your Networks
In an era of digital transformation when people are constantly connected, it may be impossible to avoid employee devices finding their way onto the corporate network. Security teams need to ensure that a comprehensive BYOD policy includes the concept of network segmentation. This may require your company to create a separate network segment that restricts access to corporate-issued devices and an “unsafe” network for personal devices (or even visitors) that doesn’t permit access to corporate information. This can help to ensure that only approved devices and users have access to the most sensitive data on the restricted network.
2. Consider A Mobile VPN
If an employee is authorized to access corporate email or store data on a new device, effective security policies are essential. Those can include setting up a mobile virtual private network (VPN). Mobile VPNs allow users to create an encrypted link between them and the VPN’s endpoint on their mobile devices.
Using a mobile VPN protects the user even if they are working remotely. If an attacker is “listening in” on the network where the device is connected, all they will see is a stream of unusable data.
3. Control Access And Authentication
A growing number of services that companies use regularly offer multifactor authentication to help differentiate legitimate users from attackers. Internal user training can help educate employees on how to enable these features to protect themselves and their data on websites. However, an organization shouldn’t neglect its own responsibility to deploy the most secure authentication strategies. They should work to determine if a login attempt is from a legitimate user or from an attacker using stolen credentials or piggybacking on a stolen device.
Organizations should look at multiple attributes of an authentication attempt, such as the location the user is logging in from, the user’s past behavior in terms of what they’ve accessed, the user’s whereabouts on the internet (through the IP address) and the phone number associated with the user’s device. These individual risk indicators can add up to a very powerful risk profile that can increase trust without forcing overly complex passwords or arduous login sequences. This way, even if an attacker has a stolen identity or an employee’s device and attempts to gain access to the network, your company’s risk engine could detect the suspicious attempt and stop it in its tracks. Ensure your company’s risk engine is programmed to detect these attributes or that your IT team is trained to recognize them.
4. Educate Your Employees
Security training is crucial to a successful cybersecurity strategy and should be reinforced after the holidays when new devices work their way into the office. Security-awareness training can equip employees with the knowledge and best practices to operate safely. Training employees during initial onboarding is a good start, but I’ve found that regular training — at least annually — is also necessary.
“Spear phishing,” in which specifically targeted employees receive tailored scam emails and notifications that appear as though they are from a trusted source, is a common tactic. In my experience, it’s an especially popular method after the holiday season because savvy attackers can disguise themselves as employees’ favorite brands and exploit their likeliness to get users to click a link on unfamiliar devices — or even familiar devices, for that matter. Organizations need to be vigilant about informing their staff about this type of threat.
Cybersecurity and risk teams should also conduct periodic assessments and audits of company assets to uncover risks that would otherwise be ignored. Teams can provide additional training on “password hygiene” to discourage using the same passwords across work and personal accounts.
Help get employees into the practice of spotting and reporting suspicious activity and phishing attempts. While no one can fully secure the employee, knowledge is power — and training can help reduce risk.
Prevention Is The Best Protection
These four strategies are not foolproof but are designed to provide a level of security as new devices make their debut. You can’t stop employees from bringing foreign devices into the workplace — whether it’s their smartphone, smartwatch or smart car outside — and malicious attackers will likely never stop trying to gain access to the ever-proliferating swarm of internet-connected systems. However, you can most certainly make proactive changes now to help prevent cyber attacks this new year.
This article originally appeared in Forbes on February 1st, 2019