BYOD Best Practices

Walk through any expo floor at an information security conference this year and you’re bound to hear about the rapidly evolving threat landscape.

From advanced persistent threats to zero-day vulnerabilities, many security companies tend to focus on the kinds of attacks that could undoubtedly cripple an organization’s network. What any security manager likely won't hear too much of are the “basics” as it relates to their business’s security posture. Why? Because it’s not “sexy,” according to Ruoting Sun, product marketing manager at Duo Security.

While the basics are commonly overlooked, they’re the area of any security strategy that should be cause for concern, seeing as a majority of cybercriminals focus on the low-hanging fruit first, and as it relates to mobile security, that’s even more the case.

The benefits of implementing a bring-your-own-device (BYOD) program at any organization are great but come with major risks and challenges. As devices continue to flood the corporate network, it has forced the “trust model” to change, says Sun. Once those devices leave the corporate network, there’s no telling what users could be doing.

“They can download malicious applications or visit sites that have been infected with malware,” Sun told Infosec Insider during a recent video interview. “Then they bring those devices back into the network to access corporate applications. So it’s really changed the trust model that companies typically have when they’re implementing security because you can no longer assume that just because a request or traffic that is being sourced from inside the corporate network is safe because it’s local traffic.”

As security teams at companies continue to work toward implementing a successful BYOD program, Sun suggests to not overlook the basics.

“Well over 90 percent of attacks that we actually see impacting organizations are attacks that have had a patch release for over a year,” he said. “It just happens that end-users don’t have great hygiene or security awareness to go and update their own personal devices. And because they’re not devices that aren’t known or managed by the organizations, there’s that lack of visibility.”

In this video interview with Sun, he discusses the importance of getting the basics right as it relates to mobile security in the enterprise, and runs through the four best practices that every security manager should know when it comes to implementing a BYOD security policy.