Fortinet advises CISOS to mitigate BYOD and BYOA risks
Fortinet, a global leader in broad, integrated and automated cyber security solutions, warned Chief information security officers (CISOS) that the significant rise of bring-your-own-device (BYOD) and bring-yourown-application (BYOA) usage among today’s mobile workforce across Asia Pacific (APAC) are exposing corporate networks to more complex cyber security issues through shadow IT, data leakage and the cloud.
Employees now expect to have their mobile devices with them at all times, and to be able to access the information they need to perform their job from their devices at any location. To meet these needs, firms are increasingly allowing staff to connect to the corporate network from their personal devices, with little control over application use.
According to IDC Asia Pacific’s Enterprise Mobility Survey 2017, BYOD has become the primary choice in organisations, with 31 percent preferring this approach compared to 19 percent in 2015. Meanwhile, a recent Global Market Insights report projected the global BYOD market size to be valued at US$366.95 billion by 2022, with APAC forecast to be the fastest growing region at 20.8 percent CAGR.
“Enterprises large and small are going mobile,” said Fortinet India and SAARC Regional Vice President Rajesh Maurya. “While embracing BYOD and BYOA will certainly bring cost reduction, increased employee productivity and efficiency as well as employee retention, there are significant risks in allowing unprotected devices and applications to access corporate networks and digital resources.”
A recent industry survey has revealed that about 65 percent of organizations are now allowing personal devices to connect to corporate networks, with 95 percent of CIOS stating concern over emails being stored on personal devices, and 94 percent being worried about enterprise information stored in mobile applications.
To benefit from BYOD and BYOA without compromising network security or losing visibility into classified data use, Sri Lankan organisations must address three major cyber security concerns:
Strict policies on the applications and services employees are
Shadow IT:
allowed to use on their devices can result in staff circumventing this security protocol to acquire solutions that will help them do their job more efficiently. This can present a major security risk, as IT teams struggle to secure data on applications they do not know about, or ensure that these applications are updated with the latest patches. If data on employees’ devices is breached, it is unlikely that IT teams will know about it and be able to implement proper incident response protocols.
Data leakage refers to the unauthorised movement of corporate data from the secured data centre to an unauthorised device or location. This often occurs when employees transfer files between corporate and personal devices, or when they have access to privileged data not essential to their roles. As cloud and Saas application use become more common and the number of connected endpoints increase, IT teams often lose visibility into data use and movement. To minimise data leakage, CISOS should consider implementing access controls and network segmentation that gives clear visibility into how data is used and moved both across the network perimeter as well as laterally across the network.
Data leakage: Application security:
On average, organisations have 216 applications running within their organisation, not taking into account personal applications stored on employee-owned devices. As these endpoints and applications converge and connect to the network, in-depth application security is necessary. This is especially true in cloud-based applications, where it can be difficult for IT teams to enforce the standard security policies of their organisations. “To ensure data security in the age of the mobile workforce, CISOS have to take a layered approach to security that provides visibility into data movement across the network.
“Specifically, this security protocol should incorporate application security, endpoint security, network segmentation and cloud security, in addition to standard network perimeter defenses such as firewalls,” added Maurya.