Making the Best of BYOx

A mere handful of years ago, many of us were jealous of that one friend or coworker who was flashing their new iPhone, a mysterious gadget we couldn’t wait to get our hands on. Fast forward to the present, less than a decade later, it seems everyone you know owns a shiny new ultrathin phablet. Billions of people worldwide use smartphones, tablets, or phablets to run their personal and professional lives. They go with us everywhere, from bedside to kitchen table to workplace. This rapid rise of consumerised mobile technology has upended everything from our most intimate relationships to broader cultural dynamics.

The ubiquity of mobile devices has also changed the workplace. Alongside the devices themselves, cloud services and mobile applications have proliferated and vastly outpaced enterprise tools in terms of innovation and ease of use. IT has lost much of its control over which devices connect to the corporate network, what applications they use, and how they download, store and share data.

IT leaders readily acknowledge that the tidal surge of bring your own devices, cloud, and applications (BYOx) can’t be stopped, yet concerns around network and data security must be addressed. The benefits are significant—connected employees are happy employees. Workers empowered by mobile devices and apps are more productive, collaborative, and innovative. Thanks to mobile technology, organisations can deliver their services and products more quickly, accurately, and flexibly—and much further afield.

But risks have mounted rapidly as well. When IT departments don’t have a comprehensive understanding of how users are connecting to and using their network and data, it is nearly impossible to track and protect critical data, provision appropriate infrastructure, and build effective defenses against hackers. IT used to “just say no” to personal laptops and unapproved software purchases. Now that this is no longer an option, security leaders have to learn how to say “yes, let’s work together” to build a safe and productive BYOx ecosystem.

Enter the Era of Bring Your Own Everything (BYOx)

As the trend of employees bringing mobile devices, applications and cloud-based storage and access in the workplace grows, businesses of all sizes continue to see information security risks being exploited. According to the Ponemon Institute, despite the importance of having good mobile security, 50 percent of respondents are not satisfied with the current solutions used in their organisations to secure employees’ mobile devices. In the era of BYOx, this won’t suffice.

BYOx has become the target of hackers who are ready to take advantage of people who are programmed to use their devices or access their cloud storage for personal use and forget that they’re on a corporate network. A well-organised attack, whether originating from nation states, criminals, hacktivists or rogue insiders, can exploit BYOx devices, applications and cloud-based storage by using them as a bridgehead and means of entry to an organisation.

The success of a Chief Information Security Officer (CISO) involves the personalisation of IT and the ability to accommodate increasingly diverse, yet interconnected, technological ecosystems. BYOx initiatives present considerable challenges, as does the widespread adoption of social media. The modern CISO must embrace these technologies or risk be sidelined by those more agile.

Preventing new BYOx ecosystem risks will require IT departments to rapidly and effectively deploy enterprise-wide strategies, policies and management technologies. Safeguarding an organisation’s data is of the utmost importance, but security measures shouldn’t undermine better workplace productivity and competitiveness. Empowering employees to safely and flexibly use their own devices, applications and cloud-based storage is essential to success, and helps keep workforce morale and talent retention high as well. 

Bring Your Own Cloud

We’ve touched upon BYOD and BYOx, but what about another acronym, BYOC (Bring Your Own Cloud). Today’s global organisations need a full understanding of the extent to which they rely on cloud storage and computing. They may have data in the cloud they don’t even know about. The simplicity of acquiring cloud services makes it easy for local initiatives to store information in the cloud. Outside of the organisation itself, information shared with suppliers might be stored by them in the cloud, especially as small and medium enterprises (SMEs) are known to have embraced cloud services as flexible and cost effective solutions.

Forbidding the use of cloud services is doomed for failure. IT and information security teams should instead work with the business on finding the best solutions, embracing cloud services that can deliver what internal systems cannot. They should provide the organisation with expert advice, discussing the benefits and risk of using cloud services. Business, IT, information security and information risk management teams can work together to ensure adequate safeguards are in place. A proactive approach will make it less likely that unmanaged initiatives will bypass processes and defenses.

By developing a deep understanding of the needs of the business, knowing when cloud services can meet those needs better than internal services, IT will empower the business and demonstrate agility. The organisation is less likely to be exposed to the risk of unmanaged cloud initiatives. Business units will be more aware of the risk associated with the use of cloud services and will welcome information security support in both risk management and contract terms.

Managing Risks in Today’s New Infrastructure

Clearly, an information-centric approach to managing security risks is essential; devices not issued by the company are too numerous, varied, and vulnerable to be effectively managed. Focusing on protecting information and meeting compliance requirements will keep your BYOx program usable and scalable.

BYOx policy options can be crafted to reflect an interplay of factors such as the information type, device ownership and the likelihood of access to more sensitive information. For policy controls to work, organisations must be able to trust their people to do the right thing. This is only realistic if they deploy training, monitoring and enforcement to communicate clearly what behaviours are expected. Behaviours can be difficult to change, and security awareness is often elusive.

Shift from Awareness to Embedding Behaviours

Traditionally, organisations have run security awareness initiatives, either standalone or alongside other work, to address unintentional or accidental outcomes. Their expectations were that imparting knowledge would motivate people to take information security seriously and act accordingly, thereby:

• Preventing incidents due to human error
• Detecting such incidents earlier
• Providing a greater resistance to threats turning into incidents
• Delaying the impact of an incident to allow the organisation time to respond
• Reducing the overall impact of incidents

However, this reliance on awareness initiatives—and the vast sums that have been spent on them over recent decades—seems to have been misplaced. At best, awareness only creates knowledge, and even that can be temporary.

Like any other aspect of the business, organisations need to shift from promoting awareness of the BYOx problem to creating solutions and embedding information security behaviours that affect risk positively. Here are ten principles that the Information Security Forum has developed to help businesses embed positive information security behaviour within their organisation:

Develop a Risk-Driven Program

1. Let risk drive solutions. Ensure that each solution has a direct link to business requirements and addresses a defined risk. Using risk reduction as the driving force enables a strong baseline and measurement criteria to be defined upfront.

2. Continue to look for alternatives. By looking closer, organisations may find that a complex system or cumbersome process is inhibiting the right behaviours. Our leading ISF Members strive to make systems and processes as simple and as user-friendly as possible.

Target Behaviour Change

3. Embed positive behaviours. People are an organisation’s biggest asset and also potentially its biggest risk. People—how they take decisions and behave in key moments—must play an essential role in strengthening organisational resilience.

4. Empower people. Winning hearts and minds changes both attitudes and mindsets. As far as possible people should be trusted, motivated and empowered—at all levels of the organisation. Information security practices then become embedded in the business culture, making information security a critical element of “how things are done around here”.

Set Realistic Expectations

5. Set a realistic timescale. There is no silver bullet. Don’t expect significant results within a month or a complete change after a year: think in terms of three to five years.

6. Aim for ‘stop and think’. Successful solutions enable people to make the right decisions – or know when to consult – when faced with the unknown. If people stop and think and take the appropriate actions in key moments, the battle is won.

Engage People on a Personal Level

7. Move from ‘tell’ to ‘sell’. Develop a strong brand and identity, and tailor solutions to people’s risk profiles where possible – ‘one size fits all’ solutions fail to engage people on a personal level.

8. Tap into the right skills. While the information security function plays a vital role in providing context and content for a solution, experts’ skills are required to define and implement distinctive solutions that people will buy into.

9. Identify and integrate champions into efforts. Top performing organisations recognise that a network of trained information security champions from within the business plays a vital role in introducing and embedding positive information security behaviours.

10. Hold people accountable. Successful organisations demonstrate that information security is important to them by rewarding good behaviours and addressing bad behaviours constructively—just as they would with any other sub-standard performance.

Don’t Get Left Behind

Like all major initiatives in an enterprise setting, careful management and inclusive collaboration are keys to reaping the promised benefits of BYOx while avoiding the pitfalls. Embedding pro-security behaviours and legitimising BYOx use through policy and enforcement is a good place to start. We can see that big companies who aren’t yet embracing this new reality are already falling behind. Strategically, building leadership, expertise, and policy structures that can handle rapidly emerging and shifting technology scenarios will strengthen the security of current operations and pave the way for proactive risk mitigation and agile incident response in the future.

This article was brought to you by Enex TestLab, content directors for CSO Australia.