Skip to main content

Connected devices lead to security questions

(Image credit: Image source: Shutterstock/Rawpixel)

We find ourselves living in a global, connected society and organizations of all sizes must prepare for the unknown so that they have the pliability to withstand unforeseen and high impact security events. To take advantage of emerging trends in both cyberspace and technology, organizations need to manage risks in ways beyond those usually handled by the information security function, since new security attacks will impact business reputation and shareholder value.   

With new types of devices entering the workplace on a daily basis, organizations must prepare for the unknown so that they have the elasticity to withstand unexpected and high impact security events. To take advantage of developing trends in cyberspace and technology, businesses need to manage risks in ways outside those usually handled by the information security function, since new security attacks will affect reputation and shareholder value.   

Connected Devices and the Era of Bring Your Own Everything (BYOx) 

As the trend of employees bringing mobile devices, applications and cloud-based storage and access in the workplace grows, businesses of all sizes continue to see information security risks being exploited. These risks stem from both internal and external threats including mismanagement of the device itself, external manipulation of software vulnerabilities and the deployment of poorly tested, unreliable business applications.   

BYOx initiatives present considerable challenges, as does the widespread adoption of social media. Today’s modern Chief Information Security Officer (CISO) and Chief Information Officer (CIO) must embrace these technologies or risk being sidelined by those more agile.   

BYOx has become the target of hackers who are well-prepared to take advantage of people who are programmed to use their devices or access their cloud storage for personal use and forget that they’re on a corporate network. A well-organized attack, whether originating from nation states, criminals, hacktivists or rogue insiders, can exploit BYOx devices, applications and cloud-based storage by using them as a bridgehead and means of entry to an organization.   

Keeping the lid on the risks presented by the new BYOx ecosystem will require IT departments to quickly and effectively deploy enterprise-wide strategies, policies and management technologies. While safeguarding your data is of paramount importance, empowering employees to use their own devices, applications and cloud-based storage safely and flexibly is essential to better workplace productivity, competitiveness, as well as keeping workforce morale and talent retention high. 

Protecting Sensitive Information 

An increase in the number of consumer-based devices, as well as an upsurge in the amount of data being shifted against multiple borders, demonstrates the need for organizations to protect sensitive information. Because BYOx will be the device of choice for most users moving forward, organizations need to tend to some of the issues that have been there for quite some time now by spending the appropriate time and resources in managing this vital business component. 

Executives recognize the massive benefits of cyberspace and how the Internet, and today’s growing usage of connected devices, greatly increases innovation, collaboration, productivity, competitiveness and engagement with customers. Unfortunately, they have difficulty assessing the risks versus the rewards. One thing that organizations must do in this day and age is ensure they have standard security measures in place. 

In an effort to help ensure that organizations have these measures in place, the Information Security Forum (ISF) has developed ISF Information Risk Assessment Methodology 2 (IRAM2), which has many similarities to other popular risk assessment methodologies. However, IRAM2 covers a broader scope of the overall risk management lifecycle by providing pragmatic guidance on risk treatment. IRAM2 provides businesses of all sizes with a simple and practical, yet rigorous risk assessment methodology that helps businesses identify, analyze and treat information risk throughout the organization. 

Additionally, the ISF has introduced a practical approach for creating key performance indicators (KPIs) and key risk indicators (KRIs) that support informed decision-making. This offers businesses of all sizes with the assurance that the CIO, CISO and the information security function are responding proactively to priorities and other needs of the business. 

The ISF method encourages CISOs and CIOs to have the right conversations with the right people. It has been designed to be applied at all levels of an organization, and consists of the following four phases: 

1. Establish relevance by engaging to understand the business context, identify common interests and develop combinations of KPIs and KRIs 

2. Generate insights by engaging to produce, calibrate and interpret KPI/KRI combinations 

3. Create impact by engaging to make recommendations relating to common interests and make decisions about next steps 

4. Learn and improve by engaging to develop learning and improvement plans 

This approach provides a way for businesses to succeed by engaging with audiences to recognize shared interests, determine appropriate data, generate consistent insights and create impact supported by the right KPIs and KRIs. This, in turn, will support better informed decision-making. 

Time is Critical. Don’t Wait. 

It is of the utmost importance that businesses urgently formulate a response to the ever-growing trend of mobile devices in the workplace. An information-centric perspective is key to managing BYOx risk, keeping the focus where it should be rather than on the technical details. The explosion of new devices and applications means that establishing a BYOx risk management plan around a single technical solution can be limiting. A focus on information is more likely to result in a responsive and adaptable program. 

There are a few risk-based requirements that I want to leave you with: 

-Highlight the issues associated with storing and processing private information on mobile and virtual devices 

-Provide clarity about which privacy rules apply, and specifically how they are affected by cross border movement of data and the multi-tier nature of the service providers 

-Include a high-level examination of the different legal requirements of different jurisdictions 

-Identify the roles and responsibilities that apply for sensitive information

-Define an approach for managing private data accessed on mobile devices and in the cloud 

-Help organization understand how to respond to regulators and data subjects 

Businesses of any size can’t afford to stand still and allow mobile device adoption to run its own course as it will create new attack vectors and potential vulnerabilities in corporate networks. In today’s connected society, you need to stay one step ahead on the latest trends, mobile devices and related security risks. By putting in place the right working practices, usage policies and management tools, organizations of all sizes can benefit from the advantages that mobile devices can bring to the workplace while diminishing exposure to potential security risks. 

Image Credit: Rawpixel / Shutterstock

Steve Durbin
Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber security, BYOD, the cloud, and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.