Delivery in day(s): 3
ITC596 IT Risk Management Oz Assignments
Most firms have chosen the trending wireless technologies and cloud computing in storing their data and transmitting information. This also leads to the organizations adopting a culture that allows staff members to work from their own devices as it offers them a chance to maximize on the cloud services and wireless connections. More people become connected through their devices on a common network. Personal devices are also increasing as consumer behaviour demand for the products keeps growing. Staff members hence find owning a personal device like a laptop or smartphone and bringing it to work as normal and necessary. Employees prefer carrying out all their tasks from their own devices reducing the workload of transferring files from their devices to the corporation’s machines. This leads to an increase in the number of personal devices brought in the work premises. Users also want privacy with what they do with their devices hence require management to avoid accessing their personal data even under the firm’s network (Jamil & Zaki, 2011)
Gigantic Corporation is an organization offering Information technology services. The organization operates on a BYOD approach allowing employees to carry out their tasks with their own devices. Multiple employees hence carry their devices to the workplace and add them to the corporation’s network framework anytime they are working. The use of the personal devices goes beyond work related activities as employees use their devices to store their own data or communicate with external people. Personal use of the devices through the corporation’s network system creates a loophole for data breach. Mitigation measures should be employed by the management of the firm that will check the vulnerabilities of using personal devices in the organization. Some measures they could use are installing firewalls on the network that prohibits users visiting dangerous web links, using authentication procedures to gain access to company data, regulating the devices brought in the work premises and training employees on safe ways to manage the data on their devices
Importance of a BYOD approach to the corporation
BYOD systems comes with its benefits. As the demand by staff members to work from their devices keeps growing everyday so do the benefits of BYOD systems. Less complications are experienced by users in terms of understanding operating systems and applications on the machines as they know their way around their own devices. Working from a personal device also allows employees to carry out their duties virtually hence they can work from anywhere. Staff members need not to be in the premises in order to access the corporation’s resources to do their duties. Employers and the management also benefit from BYOD systems. Expenditure on IT infrastructure reduces as less is spent on acquiring mobile devices for their employees. Operational costs on maintenance of the devices and software upgrades are also cut down as users update their personal devices by their own means. Management is able to save on some capital allocating the money to a different project.
Employees are permitted to operate with their devices at the workplace in most firms. This creates a work environment that is efficient as the staff work comfortably with their gadgets. Organizations and companies enjoy advantages for using BYOD policy that include a rise in productivity, less expenditure to purchase IT equipment, reduced expenses on managing devices plus employees enjoy more freedom and are more mobile. Firms that allow staff to carry their own devices also build their reputation allowing them to attract potential employees and retaining them. Users of the devices are familiar with their gadgets, this reduces frustrations that arise from machine delays or machine failure. Staff carry out their tasks efficiently from their devices resulting in more revenue collected by the organization. However, allowing staff to bring their devices to the work place poses certain risks to the organization’s network and information system. Illegal access by third parties or exposure of company data through individual devices are risks that BYOD policy expose a firm’s system to.
BYOD systems have been operational for most firms and companies in recent years. This is in spite of the vulnerabilities that the approach brings to the organization’s information. The management of this organizations consider stopping the habit which has become normal almost impossible. This will negatively impact the business as staff members will find it uncomfortable to adjust to a new system. The work rate will reduce for most users leading to a drop in production for the entire organization. The alternative therefore for these firms is to establish the security risks of incorporating A BYOD system and coming up with solutions to lessen the risks. Different approaches to BYOD systems are used by various firms. The approach that one chooses determines the security measures that the firm will pick. While setting up the rules that determine the security measure to put in place, several factors are considered including the practice of BYOD in the work premises, the type of devices that users have, the number of personal devices in the system plus their owners and the environment and time the devices are in use. Putting this factors into consideration assists in creating a difference between the advantages the BYOD system adds to the corporation and the threats that come with the same. During the emergence of BYOD systems, the strategy was a smart practice that led to IT departments spending less on IT infrastructure plus cyber-attacks through this practice were minimal. With growth in technology cyber-attacks have increased leading to doubts in installing a network system with BYOD capabilities.
Vulnerabilities of BYOD to the Corporation
Implementing a BYOD approach will lead to the network of the system experiencing various technical challenges. This includes devices colliding to gain access to sharable resources of the network like printers. Incompatibility of applications and running different operating system that cannot integrate. The network might also experience congestion of devices while connecting to wireless technologies like Bluetooth leading to slow transmission of files among users.
BYOD systems will create privacy and security weaknesses. The two are major risks that the corporation plus its staff members are exposed to. The staff members will be worried about their privacy while using their devices when connected to the corporation’s network. How confidential is their personal online activities while in the workplace is there concern. Employees also want to know the extent to which their employers have the capacity to gain access to their personal data through the system. The corporation on the other hand will be worried about the security of their data. They would like to identify the behaviors of staff that may put the firm’s data at risk.
The Corporation Security threats
Users customize their devices with unlocking features and rooting protocols that do not comply with vendor configuration terms. This creates a security risk as some of these unlocking techniques create a loophole for malicious applications to install in the devices. The corporation’s data which is stored in these devices gets damaged through the apps (Omeje, 2017).
Implementing BYOD policy also leads to users mixing personal data and corporate data under one device. The cross contamination may lead to employees unintentionally deleting work files. Chances of users deleting corporate data along with their personal data are high for staff members who host their personal and work data on one device. This is a vulnerability especially if some employees are reluctant to organize their data
Among the risk that the corporation faces is security breach by mobile applications. Several applications exist which corrupt other applications or files. Some of these applications can gain access to corporate data and even damage it. Staff members using personal devices are vulnerable to these malicious applications. Users that are not keen while downloading applications might install the malicious apps. This creates a loophole for the applications to gain access to their data and the firm’s data.
Another risk that the organization faces from implementing a BYOD policy is exposure of their data. As staff transfer, process and store the corporation’s data on their personal devices management loses track of control and visibility of the data. Researchers have found that nearly 20 percent of personal mobile devices users will lose their devices or will be stolen from them eventually. Half of the devices are never recovered. Some of the devices are stolen since their value is high in the market but the need to illegally access information in the device is also a growing factor. The corporation’s sensitive data could be out there in the open if an employee loses a device carrying such information
One of the risks that makes the corporation’s data vulnerable from applying a BYOD policy is that a number of users may opt to use their devices without setting a password protection mechanism. This creates a loophole for unauthorized access to data stored in the devices. If an employee’s mobile device hosts organization files and is not encrypted, chances of third party individuals accessing the files are high especially if the user shares his devices with others beyond the work premises.
The corporation might also incur additional charges from the personal purchases that the employees make under the corporation’s network. Organizations incur the expenses through user triggered in app purchases. Normally, users will pay for the applications or software they buy for their personal use. This might be different for Gigantic Corporation whose network system allows users to purchase or upgrade software related to their work. Employee benefits buy the applications and the cost is directly credited to the firm. Users might buy software and applications for their personal use and still forward the bill to the corporation (Crossler, Bélanger & Ormond, 2017).
BYOD privacy concerns
The employees of the corporation are the most concerned about their privacy on the firm’s network. Implementing a BYOD structure in the workplace also allows the network administrators to gain access to the devices connected on the corporation’s network. Staff members are worried that their employers can view their personal data and see what they do during their browsing sessions when connecting their personal devices to the company’s network. This are known as big brother concerns whereby the staff feel that the employers access their online social life such as social media accounts or bank records. Companies however are worried that the behaviors and activities of the workers on their network might expose the corporation’s data to a security breach. This gives them a reason to monitor all devices connected on their network. The corporation finds the employees spare time browsing as a threat to their system (Khan & Ayyoob, 2017).
Certain protocols entail that a data sweep is done in the event of a data breach as a security measure. This puts the users at risk of losing all their personal data. The system is designed to automatically erase all the data when it senses a security breach. The firm’s data and personal files stored in the system is deleted.
BYOD systems also enable the network administrators to monitor the physical location of their employees through their devices. Since the devices on the network are known and registered under the corporation’s network, the employers can track their workers by monitoring their devices. This is a big brother type of privacy violation.
Certain security protocols entail that all devices be collected in the event of a data breach. Any devices requested for investigations must be submitted. This exposes the personal data of the employees who had stored personal files and corporation’s data on the same device (Chang, Zhong, & Grabosky 2018)).
Alternatives that Gigantic Corporation can choose from to mitigate BYOD risks
The corporation has several options to mitigate the vulnerabilities of the system to security threats (Mitchell, Fisher, Watson & Jarocki, 2017).
They could hire cloud computing services to offer a secondary database to store their data. This incorporated with a central server will provide a backup storage plan. The organization will not lose its data in the event of a data sweep. Employees who misplace their mobile devices or get stolen will also be able to recover their data (Harris, 2017).
Applying Data Loss Prevention tools is a good option too. The technique allows the network administrators to monitor the employees’ activities on the network. They do this by following up on any sensitive data that is on the network (Martin, Martin, Hankin, Darzi & Kinross, 2017). DLP places a water mark on sensitive data and checks for any alteration of the data as it is being transferred within the system. This helps in identifying the source of any security breach. The administrators will be able to respond quickly to any leak (Hillson,& Murray , 2017).
Another technique that the corporation can add as a security measure is regularly updating the operating system and the software of their system. Multiple software and applications have regular updates and security patches released by the vendors. This patches should be installed (Herrera, Ron & Rabadão, 2017). The corporation should ensure that the users with personal devices are updating their antivirus and authentication measures. This will be a good security measure in ensuring corporate data stored on the personal devices is safe from unauthorized access by third parties (Mishra, Mathur, Jain & Rathore, 2013).
The corporation could also implement Network Access Control protocols that implement authentication measures in regulating transfer of files among devices in the network. The NAC technique adds encryption processes that require only authorized personnel access the firm’s data (Sadgrove, 2016).
This will design a restrictive policy that regulates the end devices that can get access to certain resources on the network. The management will be able to control the period when employees can access the firm’s network resources (Tsikrika, Akhgar, Katos, Vrochidis, Burnap & Williams, 2017) Administrators can configure strict protocols that lock out personal devices from the firm’s network limiting the employees from accessing the resources (Pritchard & PMP 2014).
In this current times, employees working with their own devices is a norm. Employees find carrying out there tasks from their devices comfortable and efficient (Harris, 2017)).The opportunity of working from your personal device comes with a number of benefits making it hard to pass by (Lam, 2014). The corporation should come up with an alternative that will strike a balance between the advantages the firm enjoys for allowing employees work with their own device and the vulnerabilities that expose their network from the same (Daniele, Maugeri & Nagurney, 2017). The corporation should not shy away from the use of personal devices in their workplace due to the risks of the policy. The organization should develop a strategy to mitigate the risks of allowing personal mobile devices to join their network (Bessis, 2015).
The corporation could create a BYOD policy that contains the rules to be followed in using personal devices at the workplace. The policy assists in controlling the behavior of users while using the firm’s network resources. The policy stipulates regulatory measures including the type of devices allowed in the work premises, the applications and software compatible with the firm’s network and the web addresses that have been restricted to visit and the reasons why (Chen, Hong, &Liu , 2018). The policy should also stipulate the consequences that follow if an employee violates the rules in the policy (Hillson & Murray, 2017).
The corporation should also conduct a risk analysis on the company’s network regularly to make sure that all the authentication procedures and other security measures are running as required. This will also assist them in discovering and sharing new applications and software that their employees have installed in different devices (Gollmann & Meier, 2009).
The management of Gigantic Corporation should embrace BYOD policy as it will result in better productivity in their services and increased employees’ satisfaction leading to efficiency in running their operations (Pritchard & PMP 2014). The risks that come with implementing BYOD have ways to mitigate. The management should consider the best alternative that is compatible with their activities. This could mean employing restrictive measures in accessing resources of the network. Employees may end up being frustrated and unsatisfied with their working conditions (Carlin & Curran, 2013).
Anwar, M., He, W., Ash, I., Yuan, X., Li, L., & Xu, L. (2017). Gender difference and employees' cybersecurity behaviors. Computers in Human Behavior, 69, 437-443.
Bessis, J. (2015). Risk management in banking. John Wiley & Sons.
Carlin, S., & Curran, K. (2013). Cloud computing security. In Pervasive and Ubiquitous Technology Innovations for Ambient Intelligence Environments (pp. 12-17). IGI Global.
Chang, L. Y., Zhong, L. Y., & Grabosky, P. N. (2018). Citizen co?production of cyber security: Self?help, vigilantes, and cybercrime. Regulation & Governance, 12(1), 101-114.
Chen, Y., Hong, J., & Liu, C. C. (2018). Modeling of intrusion and defense for assessment of cyber security at power substations. IEEE Transactions on Smart Grid, 9(4), 2541-2552.
Crossler, R. E., Bélanger, F., & Ormond, D. (2017). The quest for complete security: An empirical business analysis of users’ multi-layered protection from security threats. Information Systems Frontiers, 1-15.
Daniele, P., Maugeri, A., & Nagurney, A. (2017). Cybersecurity investments with nonlinear budget constraints: Analysis of the marginal expected utilities. In Operations Research, Engineering, and Cyber Security (pp. 117-134). Springer, Cham.
Gollmann, D., & Meier, J. (2009). Computer Security–ESORICS 2006: 11th European Symposium on Research in Computer Security, Hamburg, Germany, September 18-20, 2006, Proceedings (Vol. 4189). Springer Science & Business Media.
Harris, E. (2017). Strategic project risk appraisal and management. Routledge.
Herrera, A. V., Ron, M., & Rabadão, C. (2017, June). National cyber-security policies oriented to BYOD (bring your own device): Systematic review. In Information Systems and Technologies (CISTI), 2017 12th Iberian Conference on (pp. 1-4). IEEE.
Hillson, D., & Murray-Webster, R. (2017). Understanding and managing risk attitude. Routledge.
Jamil, D., & Zaki, H. (2011). Cloud computing security. International Journal of Engineering Science and Technology, 3(4).
KHAN, M., & AYYOOB, M. (2017). Computer security in the human life. computer security in the human life, 6(1), 35-42.
Lam, J. (2014). Enterprise risk management: from incentives to controls. John Wiley & Sons.
Martin, G., Martin, P., Hankin, C., Darzi, A., & Kinross, J. (2017). Cybersecurity and healthcare: how safe are we?. Bmj, 358, j3179.
Mishra, A., Mathur, R., Jain, S., & Rathore, J. S. (2013). Cloud computing security. International Journal on Recent and Innovation Trends in Computing and Communication, 1(1), 36-39.
Mitchell, R., Fisher, A., Watson, S., & Jarocki, J. (2017, January). Linkography ontology refinement and cyber security. In Computing and Communication Workshop and Conference (CCWC), 2017 IEEE 7th Annual (pp. 1-9). IEEE.
Omeje, K. (2017). High stakes and stakeholders: Oil conflict and security in Nigeria. Routledge.
Pritchard, C. L., & PMP, P. R. (2014). Risk management: concepts and guidance. Auerbach Publications.
Pritchard, C. L., & PMP, P. R. (2014). Risk management: concepts and guidance. Auerbach Publications.
Sadgrove, K. (2016). The complete guide to business risk management. Routledge.
Tsikrika, T., Akhgar, B., Katos, V., Vrochidis, S., Burnap, P., & Williams, M. L. (2017, February). 1st international workshop on search and mining terrorist online content & advances in data science for cyber security and risk on the web. In Proceedings of the Tenth ACM International Conference on Web Search and Data Mining (pp. 823-824). ACM.