Delivery in day(s): 4
IT Risk Assessment for BYOD Assignments Solution
More and more corporations are implementing Bring Your Device policies which allow employees to utilize own electronic devices such as laptops computers, tablets PCs and smart phones for undertaking their official duties and responsibilities. Employees, therefore, will have private terminals which present risks to the information assets of the organization including the corporation's information technology leakage, leakage of employees' personal and confidential information. Therefore, organizations require a well-designed cyber security framework to protect its information system resources from the potential threats.
Adoption of BYOD in an organization harnesses numerous benefits including improved productivity, reduced costs, the efficiency of work and convenience. However, implementation of Bring Your Device in organization carries various risks including information theft, data leakage, network availability problems, loss of application security as well as legal liability.
Information is vital to an organization’s operations, strategic objectives and its brand and also of critical value to the clients and consumers who utilize the organization's products and services. Therefore, the information can be considered as an organization's asset and has its value, threats, and vulnerabilities which the threats can potentially abuse to cause harm to the assets and the organization as a whole.
Organization’s information assets must be protected from various risks by implementing different security strategies. To understand the risks brought by BYOD policies and processes facing the information assets of an organization, a risk assessment must be undertaken to comprehend the threats, key threats agents, their vulnerabilities and their potential impact on the assets.
The organization should develop a BYOD policy that contains the procedures and regulations to be adhered to when utilizing personal devices at the workplace. The other strategies will include strongly encrypting the organization's data to be accessed through the mobile device and also encrypt the data communication process Regular update of operating system, and the software of the system should be undertaken by the organization, and the IT administrator should ensure that the users with personal mobile devices are updating their antivirus and authentication measures.
Various tools and techniques should also be implemented including application containerization software that ensures that applications are utilized in isolation and prevents other applications from accessing. Data Loss Prevention techniques allow the network administrators to monitor the employees' activities on the network and any security breach source and respond quickly to that threat.
Therefore, an organization should not shy away from the use of personal devices in their workplace due to the threats of the BYOD policy on the information assets, but the organization should develop and implement a strategy to prevent and mitigate the risks of BYOD policies and practices.
The essential benefits of undertaking a Risk assessment of the information system of the organization are outlined below;
Risk assessment helps in the identification of the potential vulnerabilities to be utilized by hackers to access the organization’s information assets.
Risk assessment results in the adoption of more secure practices, solutions and policies, and guides in implementing the best information security strategy that suits the organization.
Risk assessment of the information systems of an organization justifies security investments by presenting a fair analysis of the information security investment versus the costs of the potential losses due to breaches of the information assets.
A key aspect of risk assessment is the identification of the threats and determination of their likelihood of occurrence. A threat is a physical or a logical process that has the potential to impact operations, information, and systems of an organization negatively. In developing, information security strategy and undertaking risk assessment, the first essential procedure is to identify and comprehend the information assets that require protection. The information assets in an organization impact integrity, confidentiality, availability and support the institution’s mission and vision and it strategic objectives[ CITATION Bor15 \l 1033 ].
1. The information system assets of an organization are namely
2. Human resources: personal data of staff and reports.
3. Legal: contracts and internal documentation, employees confidential information on staff
4. Finance and Economics: financial information and procurement documentation
5. Information Technology: Databases, logins, and passwords, IT management information and IT developments copyright
6. Research: products test results, undergoing research
The role of this step in the risk assessment is to identify potential threats to the information system. Risks in information system occur when flaws in the system or the surrounding environment are exploited by threat agents.
The risk identification process consists of three core aspects;
1. Identification of potential threats that could harm the information system
2. Identification of vulnerabilities within the system’s components that could be exploited by the threats
3. Combination of the threats and the vulnerabilities to identify the risks to which the information system is exposed
Threats Agents facing an organization due to BYOD policies and practices are elaborated as shown;
The most persistent and dangerous threat to corporate information system is malware. The number of malware families has rapidly increased over the past few years[ CITATION Bec14 \l 1033 ]. The adoption of BYOD results in the IT department losing control over the mobile electronic devices utilized by employees which means that accidental malware infections go undetected. In a BYOD environment, the malware exploits the existent vulnerabilities in the mobile devices of the employees to steal the corporation's confidential data.
2. Insecure Wireless Networks
In BYOD, the employees can access advanced technology such as public wireless network and home networks. The network configuration of these networks outside the office is unknown and is not under the organization’s information security scope but can view the information assets of the organization. Through such insecure communication channels, interception can be launched to steal or corrupt the information assets of the organization.
3. Fake Certificate Authorities
Certificate-based authentication is widely utilized over the internet to authenticate computers and is normally issued by certificate authorities who should be trusted. Electronic mobile devices usually come with factory preloaded CA credentials but also contain capability that allows the user to either remove existing ones or add their own[ CITATION Vig15 \l 1033 ]. In a BYOD context, an employee may be deceived to add fake CA credentials or impersonated-trusted digital certificate to the mobile devices which then the hacker utilizes it to steal sensitive corporate data.
Phishing scams through phishing email are becoming more common in the cybercrime world since it is supported by an unacknowledged employee collaboration environment such as social networks and cloud services where it spreads with ease[ CITATION Den15 \l 1033 ]. A well-structured phishing email can be utilized by scammers to evade traditional network security frameworks and steal the company's information. In BYOD, device protection strategies are left to the employee, and then hackers can utilize phishing scams without any difficult or detection to access Company sensitive and critical information assets
5. Malicious Mobile Applications
In a BYOD context, employees can install unauthorized and non-corporate applications either for leisure purposes or aid in their functions within the organization[ CITATION Mor121 \l 1033 ]. These applications can be utilized by hackers to steal or disclose private corporate information. Also, these malicious applications can be given more privileges by rooted mobile devices to disseminate spam and send unauthorized anonymous sensitive data to outsiders.
6. Social Engineering
The broad adoption of electronic mobile devices supported by BYOD policies and practices has made the spread of malware through email spams and social networks by scammers easy[ CITATION Tzo13 \l 1033 ]. Due to lack of security awareness, employees during their leisure time, can access social media or open the scam emails which then result in infection of the corporate information network.
7. Personal and Corporate Information Mixture
Employees utilize their own devices to conduct personal business as well as keeping in contact with family and friends, while at the same time use it to access corporate databases, servers, and networks to undertake work responsibilities and duties. Also, in BYOD, IT administrators cannot monitor the illegal action on the corporate data[ CITATION Yan131 \l 1033 ]. The mixture of personal and corporate information can affect the integrity of the corporate information due to the complexity of separating the data.
8. Using Personal Cloud Services for information sharing
An employee utilizes the mobile device for personal use as well as for corporate use, which then stores all the corporate information on the private cloud storage. Personal cloud storage is utilized to increase availability and flexibility for accessing both personal and corporate information. Cloud services can be hacked and hence sharing of information on cloud services may then expose confidential corporate information to corruption and unauthorized disclosure[ CITATION Rom14 \l 1033 ]. Also, employees can modify or share corporate data hence impacting on the information’s confidentiality and integrity.
9. Uncontrolled Heterogeneous Devices inception
The various electronic mobile devices used by employees to access the information assets of an organization increases threats to confidential information. The support given by the IT department to may be ineffective due to the incompatibility of the organization's configurations and applications or operating system fragmentation and hardware of the device[ CITATION Cha141 \l 1033 ]. Therefore, lack of proper IT control and monitoring of the mobile devices will result in unauthorized access of the sensitive corporate information.
10. Stolen and Lost Mobile Devices
The mobile device of an employee maybe get lost or stolen while it is still logged on or had “remember password” feature, then corporate information can be accessed by outsiders. Also, some employees keep corporate data even after termination, and if the employee is vengeful, it can result in the exposure of corporate information and also result in intellectual property violation[ CITATION Bec14 \l 1033 ].
Employees Habits as vulnerability
The primary vulnerability in BYOD context is the user; the employees' habits are utilized by intruders to lure them to access social networks or to open a phishing email during their leisure time or to install a certain application. These activities are then exploited by intruders to get unauthorized access to the corporate information and they them steal, contaminate or disclose the information resulting in compromise of the integrity, availability, and confidentiality of the corporation's sensitive information.
Lack of privilege to stop an ongoing application installation process
In other android application utilized in mobile devices, the user does not have the right to terminate an application installation process once it has been initiated[ CITATION Tar15 \l 1033 ]. An intruder to the organization information system can attach malware to the application and wait for the user to install the app.
Dated software and non-updated security patches
The other vulnerability to BYOD threats is the use of dated software and non-updated security patches current[ CITATION Mis13 \l 1033 ]. This allows easy access for intruders to steal or contaminate the organization’s data.
Some employees have utilized the “remember passwords” when login into their corporate accounts in their mobile devices and this action becomes a vulnerability when the device is lost or stolen.
Consequences of BYOD Threats
In risk assessment, the consequences of information system threats can be expressed as a loss of trust (integrity), loss of privacy (confidentially), loss of service and loss of an asset. Blow discussed are the consequences of BYOD threats to the information assets of an organization.
Information Disclosure or Leakage (Loss of confidentiality)
The mixture of corporate and personal information when utilizing a mobile device exposes the organization's information threats that can lead to disclosure which then results in compromise of the information confidentiality. Spoofing and tampering are also threat vectors. For example spoofing of databases, cloud service and web applications can result in corporate information being inverted and stored in intruders repositories. Also tampering attacks such as XSS can result in the capture of database access credentials which then can be utilized to make unauthorized access to databases[ CITATION Aph15 \l 1033 ]. Information traveling through an insecure channel can be stolen by an intruder through sniffing or interception attacks. Figure 1 relays the different threats that result in information disclosure in an organization.
Figure 1: BYOD threats’ interactions that result in information disclosure
Information Contamination or Corruption (Loss of integrity)
The core consequence related to BYOD attacks is information contamination which compromises information integrity. Contamination occurs from threats due to employee habit of accessing the corporate information employees. Corporate databases can be corrupting by utilizing the tampering threats[ CITATION Aph15 \l 1033 ].
Figure 2: BYOD threats’ interactions that result in information contamination
Once the information assets of the organization have been identified and the threats listed, then the impact of a threat occurring must be assessed. The impact of a particular threat will be evaluated based on levels designated as less serious, serious and exceptionally grave.
Table 1: Impact assessment framework
BYOD Protection mechanisms for Information Security
Device and User Authentication
Password-based Authentication or other authentication techniques when accessing the organization’s information resources. The authentication business processes to include a limited number of input retries before the device automatically locks out or before storage is wiped out, depending on the settings[ CITATION Pri14 \l 1033 ].
The IT administrator should have a capability to remotely set the device if automatically locks out or when an employee forgets the password.
If the device is idle for a set period, it should have the capability to the lockout to avoid an unauthorized individual from snooping if the mobile device had been with displaying cooperation data.
Data communication and Storage
Strongly encrypt the organization's data to be accessed through the mobile device and also encode the data communication process
Strongly encrypt the organization's data stored on both the inbuilt storage and the removable storage. To mitigate offline attacks on any the removable media storage, it can be bound to a specific device so it can only be decrypted when attached to that device[ CITATION Sad16 \l 1033 ].
Implement a capability of remotely wiping mobile device storage when remote stolen or lost. Also, the device can be configured to automatically erase itself when it is wrongly authenticated for a certain number of times.
Updating operating systems
Regular update of the operating system and the software of the system should be undertaken. The multiple software and applications updates and security patches released by the vendors regularly be installed[ CITATION Her17 \l 1033 ].
The corporation should ensure that the users with personal mobile devices are updating their antivirus and authentication measures. This will be a good security measure in guaranteeing corporate data stored on the personal devices is safe from unauthorized access by third parties.
Synchronization services including websites, remote and local device synchronization should be restricted
Digitally sign applications and distribute it through a mobile store to ensure only applications from trusted entities are installed on the mobile devices.
Preventing access to the organization’s information resources to mobile devices depending on their version of the operating system such as whether the device has been rooted.
Data loss prevention
Data Loss Prevention techniques allow the network administrators to monitor the employees' activities on the network and any security breach source and respond quickly to that threat. They do this by following up on any sensitive data that is on the network[ CITATION Mar17 \l 1033 ]. DLP places a watermark on sensitive data and checks for any alteration of the data as it is being transferred within the system.
Figure 3: DLP techniques for data loss prevention in a BYOD context
An organization should implement the following software to curb the risks resulting from the adoption of BYOD practices.
Application containerization-software that ensures that applications are utilized in isolation and prevents other applications from accessing the data. The containerization technique allows the organization to implement a security policy without touching the data as well as the data functionality on the confidential area of the mobile device[ CITATION Yad15 \l 1033 ].
Mobile Identity and access management- This software implements a two-factor authentication technique and a single sign-on across multiple devices hence making logging for employees simple
Mobile content Management-It allows an organization to determine the storage process in the cloud as well as the access procedure by its employees.
BYOD significantly improves productivity in a corporation through increased availability and flexibility of the accessing the organization’s information. It is important for the organization, to be aware of the security risks brought out by BYOD policies and practices. An organization can harness the benefits of BYOD by implementing an effective BYOD strategy that maximizes benefits while minimizing risks.
Threats Agents due to BYOD implementation include malware, wireless public networks, the mixture of corporate and personal information and stolen and lost devices. Vulnerabilities of BYOD include employees’ habits and dated software security patches. BYOD threats can result in various consequences including disclosure of sensitive corporate information and corruption of the data which compromises the confidentiality and integrity of the organization’s data.
The organization should develop a BYOD policy that contains the procedures and regulations to be adhered to when utilizing personal devices at the workplace. The policy will assist in controlling the behavior of users when accessing and managing the firm’s network resources. The policy should stipulate regulatory measures including the type of devices allowed in the work premises, the applications, and software compatible with the firm's network and the web addresses that have been restricted to visit and the reasons why the policy should also stipulate the consequences that follow if an employee violates the rules in the policy.
The organization should regularly conduct a risk analysis on the company’s network regularly to make sure that all the authentication procedures and other security measures are running as required. The organization should implement application containerization-software that ensures that applications are utilized in isolation and prevents other applications from accessing the data.
1. Aphale, M., Borikar, U., Kardile, B., Vasekar, V., & Shital, J. (2015). Forensics investigation for database tampering using audit logs. International Journal of Engineering Research and Technology, 4 (3).
2. Beckett, P. (2014). BYOD-popular and problematic. Network Security, 2014 (9), 7-9.
3. Boranbayev, A., Mazhitov, M., & Kakhanov, Z. (2015). Implementation of Security Systems for Prevention of Loss of Information at Organizations of Higher Education. 2015 12th International Conference on Information Technology-New generations, (pp. 802-804). Las Vegas, NV.
4. Chang, J., Ho, P., & Chang, T. ( 2014). Securing BYOD. IT Professional, 16 (5), 9-11.
5. Densham, B. (2015). Three cyber-security strategies to mitigate the impact of a data breach. Network Security, 2015, 5-8.
6. Herrera, A. V., Ron, M., & Rabadão, C. (2017). National cyber-security policies oriented to BYOD (bring your device): Systematic review. 2017 12th Iberian Conference on Information Systems and Technologies (CISTI(pp. 1-4). IEEE. (pp. 1-4). IEEE.
7. Martin, G., Martin, P., Hankin, C., Darzi, A., & Kinross, J. (2017). Cybersecurity and healthcare: how safe are we? BMJ.
8. Mishra, A., Mathur, R., Jain, S., & Rathore, J. S. (2013). Mishra, A., Mathur, R., Jain, S., & Rathore, J. S. (2013). Cloud computing security. International Journal on Recent and Innovation Trends in Computing and Communication, 1(1), 36-39. International Journal on Recent and Innovation Trends in Computing and Communication, 1 (1), 36-39.
9. Morrow, B. (2012). BYOD security challenges: control and protect your most sensitive data. Network Security, 2012 (12), 5-8.
10. Pritchard, C. L., & PMP, P. R. (2014). Pritchard Risk management: concepts and guidance. NW: Auerbach Publications.
11. Romer, H. (2014). Best practices for BYOD security. Computer Fraud & Security , 2014 (1), 13- 15.
12. Sadgrove, K. (2016). The complete guide to business risk management. Abingdon, U.K: Routledge.
13. Tarle, P. (2015). Comparative Study of Smart Phone Network Security Techniques. Internal Journal of Emerging Technology and Advanced Engineering, 5 (2).
14. Tzoumas, C. (2013). The BYOD World. BusinessWest, 30 (2), 45.
15. Vignesh, U., & Asha, S. (2015). Modifying Security Policies Towards BYOD. Procedia Computer Science. Elsevier, 2015, vol. 50, pp. 511–516. , 50, 511–516.
16. Yadav, S., Ganguly, U., & Suman, S. (2015). Threats and Vulnerabilities of BYOD and Android. International Journal of research, 2 (8), 997-1003.
17. Yang, T., Vlas, R., Yang, A., & Vlas, C. (2013). Risk Management in the Era of BYOD: The Quintet of Technology Adoption, Controls, Liabilities User Perception, and User Behavior. 2013 International Conference on Social Computing (pp. 411-416). IEEE.