Information Security: Corporate-Owned Devices Vs Employee-Owned Devices - Security Boulevard

Posted: 25 Nov 2019 11:52 PM PST

Information Security for Mobile Devices — Information security: Corporate Owned Vs Employee Owned Devices

In an era of enterprise mobility, employee flexibility and convenience in terms of working from remote locations and device usage has become a new norm. Although this definitely adds to their productivity and efficiency, but at the same time, companies cannot ignore the threats and risks they pose to corporate information security. The influx of mobile devices and the plethora of platforms in the workplace is making things more complex for companies. Conditions get trickier when employees are allowed to use their own devices at work, whether in office premises or a remote location. This blog will discuss why a company needs to make an informed decision about implementing a specific device ownership model. Let's dive into a comparative analysis between corporate-owned devices and employee-owned devices from the viewpoint of information security.

What is Information security?

Information, which can exist in any form – physical, tangible, electronic or non-tangible, is a valuable asset to a company. As the term suggests, Information Security is a set of defined and organized tools and processes that are designed to protect sensitive corporate information from getting disrupted, stolen, modified, compromised, disclosed, corrupted or destructed.

A part of information risk management and popularly known as InfoSec, it secures crucial information from unauthorized access, use, sharing, disclosure or deletion. In case any unfortunate security incident takes place, InfoSec professionals are responsible to mitigate the impact of the threat or the risk involved. The three famous pillars of InfoSec are Confidentiality, Integrity, and Availability. Apart from these 3 aspects, there are 3 more pillars that offer further strength to the InfoSec program, these are Accountability, Authenticity, and Non-Repudiation.

The simple fundamental that underlines the InfoSec program is that sensitive corporate information must be kept intact – it cannot be accessed, transferred or modified without authorized permission. The major types of lnfoSec are Application Security, Cloud Security, Cryptography, Infrastructure Security, Incident Response and Vulnerability Management.

Also Read: How your knowledge workers can benefit from corporate-owned devices

Why companies should care?

Information can be worth a trillion dollars to a company and losing it can cause irreparable damage to enterprises. Unmanaged and unorganized information lying in silos can be vulnerable to different kinds of threats like computer/server malfunction, natural disasters or physical theft. InfoSec is a crucial consideration for IT security specialists who monitor and prevent risks to application security, data security, network security, physical security, and computer security.

As a matter of fact, modern companies mostly rely on corporate e-information stored within computers, information and software systems, mobile devices, smartphones, tablets and other handheld devices used by employees, stakeholders, and business leaders. As companies shifted their interest from the physical assets to the digital landscape, threats to information took a shape of cyber-threats. The increasing cyber-security attacks can cause major damage to sensitive and critical information assets.

On top of that, the growing risks of data breaches have brought the importance of having a sophisticated data protection plan to the forefront.

Also Read: How your IT team can effectively drive a corporate-owned device policy

Stated below are a few of the reasons why companies should start caring about Information Security:

As per Juniper Research¹, cybercrimes have led companies to lose an amount of $2 trillion in 2019.
The same report states that cybercriminals will steal 33 billion records in 2023 alone, resulting in a cumulative loss of around 146 billion records.
As mentioned by Cybercrime Magazine² and Gartner's forecast, organizations are going to increase their spend on InfoSec awareness computer-based training by 13%.
As per the same reports³, the global expenditure on cybersecurity will touch a staggering $10 billion by 2027.
As per Symantec report⁴, there is a 25% growth in the number of attack groups using destructive malware.
The same report states that the average number of organizations targeted by each attack group is 55.
There is a 1000% increase in malicious powershell scripts and a 78% increase in supply chain attacks, according to this Symantec report.

How the device ownership model influences information security?

As maximum corporate information, which is sensitive and critical in nature, lies within the smartphones, tablets and other handheld devices used for enterprise purposes, it is crucial to understand who owns and uses these devices, how they use these devices and who owns the information. It also invites the question about how much control should the company have over the information stored in these devices, which are intended to be used from office premises as well as from remote locations.

Also, what kind of security and usage policies are introduced to protect company information from unauthorized access and data abuse, and how are they implemented. Let's look at the risks posed by employee-owned devices and how having a corporate-owned device policy with a robust MDM solution in place can be a better idea for organizations.

Information Security Risks with Employee-Owned Devices

With the growing need for flexibility, convenience, and agility, employees are demanding to use their own devices at work. Although employee-owned devices are doing the rounds, companies must not ignore the costs it might pay for allowing the employees to use their own devices to carry on their daily works. The security risks are doubled when employees use their own mobile devices from remote locations or while telecommuting. Check out the following risks that employee-owned devices can pose to information security:

Data loss or abuse due to lost or stolen device: When an employee uses his/her own device at work without any backend control from the company IT team, it simply means that the devices are on their own, and so are the company data lying within them. Now imagine a scenario where an employee misplaces his/her device and it falls into the wrong hands. It wouldn't only jeopardize the entire work process but can also expose sensitive and critical company data to be compromised by hackers, who have gained expertise in decoding encrypted data and device-locking passwords.

Data misuse during sudden/immediate employee departure: When an employee leaves the company, it is mandatory to follow certain regulations to ensure a healthy and organized departure. However, in case where an employee just decides to abruptly walk out of the company without any prior notice, he/she invites a scope of data misuse. Companies rarely exercise any control on employee-owned devices, and this makes it difficult to wipe off or erase corporate data stored in those devices, which might attract unauthorized and unsafe access to corporate data and software in the future.

Data can be corrupted due to unprotected browsing: Without any company IT control, employee-owned devices do not come with any restrictions or limitations to browse unprotected websites and download malicious apps. However, this unhindered freedom might invite the risks posed by cyber-threats and attacks via unsafe websites and virus-laden apps. This undoubtedly brings in bigger risk factors wherein corporate data stand chances of corruption, deletion or destruction, resulting in tremendous financial and strategic loss for the company. Malware, spyware and ransomware attacks through infected emails, apps, and weblinks can cause irreparable damage to the organization's brand image.

Indifference towards security updates: People often do not pay heed to those OS security updates and notifications, which causes the phones to stay outdated and hence devoid of security upgradations. Now, this tendency of indifference towards security updates can come bearing doom for information security. When the employee-owned mobile phones are not enforced to update themselves with the latest security firewall and anti-virus systems, they become vulnerable to a myriad of cyber-attacks, which leave the corporate data lying vulnerable within these devices.

Access to unprotected Wi-Fi: Employee-owned devices are often used from multiple remote locations wherein the user/employee sometimes need to access the open Wi-Fi networks in case of data exhaustion or unavailability. Open Wi-Fi networks provided in the coffee shops, airports, retail stores, hospitals, restaurants, and hotels often act like an open and unsecured portal for the hackers to access company information stored in the devices. Accessing these unprotected Wi-Fi networks has become a norm with employees using personal devices but it can lead to dangerous InfoSec threats for organizations.

Corporate-owned devices are a better option to drive information security

It is true that several of these loopholes can be covered by implementing a well-planned BYOD policy, but companies are definitely treading that path at a slower-than-expected pace owing to the security complications and management ordeal. On top of that, as companies cannot own and regulate the usage of these employee-owned devices, the possibilities of malware and virus attacks are always present on the devices. The infection can be passed along to the company IT system when they access the devices.

Wherein employee-owned devices invariably drive productivity and flexibility, it cannot be achieved at the cost of important company information being jeopardized. Having a corporate-owned device ownership model pays off in multiple terms while fostering productivity, security, flexibility, efficiency, and precision – all at once! A corporate-owned device policy powered with a perfect MDM solution can be an ultimate answer to maintaining a flawless information security system across the organization at all levels.

Read the blog to know: The 5 unfailing business benefits provided by corporate-owned device policy

When it comes to choosing an all-rounder Mobile Device Management Software that comes with all the relevant and unique security features and management capabilities, ensure to go for the best with Scalefusion MDM.

Sources
1.juniperresearch.com and
2.cpomagazine.com
3.cybersecurityventures.com
4. symantec.com

*** This is a Security Bloggers Network syndicated blog from Scalefusion Blog authored by Sonali Datta. Read the original post at: https://blog.scalefusion.com/information-security-corporate-owned-vs-employee-owned-devices/

Kim Komando: How to securely send email and texts - South Bend Tribune

Posted: 25 Nov 2019 04:00 AM PST

We send messages all day long, and every time we hit "send," we roll the dice. Hackers don't have to break into your phone to steal your data; they can intercept messages or break into other people's devices. Once they have your email or text, there's only one way to protect your private correspondence: make it unreadable.

One of the most powerful defenses against snoops is called "end-to-end encryption." Encryption is a secure way to protect your conversations from being read by others. Even if a hacker intercepts them, they can't see anything but gibberish. "End-to-end" means messages remain encrypted, no matter who is sending or receiving them.

This idea sounds a little complicated, but it isn't tough to set up. And you can get this extra layer of protection for free.

Encrypted emails

Believe it or not, big-name email services like Gmail and Yahoo do not provide end-to-end encryption. Some critics say it's because large data companies want the ability to read your messages.

The common explanation is much simpler: watertight encryption is hard to implement, and it requires all correspondents to participate. For example: If your email uses encryption but mine doesn't, the process isn't end-to-end. At some point, your message will be vulnerable.

For businesses and organizations that require tight security measures, or for cautious individual users, here are some standout services that do provide end-to-end encryption. There are some loopholes and drawbacks to each, but if you get your entire network onboard, these platforms can theoretically safeguard your entire email chain.

Here are some services known for their encryption capabilities to make your email and text messages more secure.

ProtonMail

This service has won global attention because of its end-to-end encryption, and it has become a popular option for users seeking absolute privacy. The company is based in Switzerland, a nation famous for its privacy standards, and its servers are literally buried underground.

There is a limited free version and a more robust paid version, and you can use the service for your website's domain. The company boasts that even they — the developers — can't read your emails.

This Belgian company puts a premium on security by using "keys," which you can share with trusted individuals. The good news is you can trade ultra-safe emails with fellow Mailfence users. The bad news is you can't send end-to-end encrypted messages to people who don't use it.

You can secure end-to-end encryption between one Tutanota user and the next; and you can also create secure passwords for viewing Tutanota-sent emails on other services, such as Gmail.

SCRYPTmail

This service is similar to others, except it can also provide decoy email addresses, making it difficult for a recipient (or hacker) to know who sent a message. This could be used malevolently, of course, but it can also protect your email from abusive responses.

Created in Canada in 1998, Hushmail has been in the private email business for a long time. Like Mailfence, Hushmail uses keys for sharing with others. Many of Hushmail's innovative features are fairly standard these days, but the service remains as trustworthy as ever.

Microsoft Outlook

Yes, the popular email service has developed end-to-end encryption — you just need to change your settings to use it. Outlook will analyze your email for sensitive information; but more interestingly, Outlook can prevent a recipient from copying or forwarding your emails.

Encrypted messaging apps

"Text messages" have evolved rapidly in recent years, and smartphones are capable of supporting a wide range of messenger services — a handful of which provide end-to-end encryption, just like email.

There are numerous services available for inexpensive or free messaging, which provide decent levels of security. These are three of the biggest; I recommend Signal first, Messages (if you have an iPhone) second and WhatsApp third, but you might also look into Silence, Silent Phone, Telegram, Wire, Dust or Cyphr, among others.

Signal private messenger

As its name implies, Signal Private Messenger is explicitly designed for covert communication. Its developer, Open Whisper Systems, has won accolades from security experts and cryptographers, and the system is available for Apple and Android devices, along with desktop computers.

All Signal messages are encrypted end-to-end, and you can also set a timer for your transmissions so they are automatically deleted. What's more, the programming is open-source; there isn't a major corporation looming over your data, nor is there a faraway server that stores your data.

Incredibly, Signal is free to download and use, whether you get it from the Apple App Store or Google Play. Not only can you send messages, but you can also hold HD video calls with users all over the world.

Apple's Messages app

Apple users generally rely on the Messages app in iOS and macOS, which protects messages and attachments sent between two Apple gadgets. So if you send a message from an iPhone to a friend's iPhone — or their iPad or Macbook — your text will automatically be encrypted. Text messages stored on iCloud are also encrypted, as long as you've enabled two-factor authentication.

Predictably, messages sent to Android users are not encrypted. Android gadgets do not encrypt SMS messages by default; in that situation, you may consult another one of these apps.

Android users often get the short end of the stick when it comes to safety and security. Tap or click to see a long list of apps you must delete now and future downloads you should avoid.

WhatsApp has garnered global popularity for its free text and voice messaging. The app is available on a variety of platforms, including Windows and macOS computers, as well as Android and iOS mobile devices.

One drawback: WhatsApp is owned by Facebook, which has come under fire in recent years for privacy issues. Tap or click for 5 Facebook privacy settings you must change to protect your account.

That said, WhatsApp does offer end-to-end encryption between yourself and other WhatsApp users. As always, I don't recommend sending sensitive information through the app — much less compromising photos or documents — but you can use this app to comfortably keep hackers at bay.

Search This Blog

Android Full Encryption