While many end users are aware of potential dangers associated with not securing a device properly, that doesn't mean they secure it. Many choose to ignore advice from IT professionals about locking their devices. Sure, we may expect this from the end user, which is why managed services providers (MSPs) try to place themselves between businesses and end users, but what about the U.S. military? Shouldn't they have higher standards for bring your own device (BYOD) and mobile device management (MDM)? Apparently they do not. Sophos Senior Threat Researcher Beth Jones (pictured) recently highlighted the alarming vulnerabilities left open in the U.S. Military and its implementation of mobile devices in her Naked Security blog. Here are the details.
Jones pulled the following facts from the report by the Inspector General (
which since appears to have been pulled - but now has been reposted - to the government's web site.) They show how standard BYOD security procedures were neglected by the CIO of the U.S. Army including:
- mobile devices and data were not protected with MDM software ;
- the U.S. Department of Defense did not have the ability to remotely wipe devices;
- the Army CIO was unaware of 14,000 devices throughout the Army;
- users were not trained and did not sign user agreements; and
- users were allowed to save sensitive data on removable media.
Data loss mattersJones cited the case of the U.S. Secret Service contractor who left two tapes of sensitive data on DC Metro train as a prime example of what could happen to any employee at any level. Data is power and criminals are always looking to get their hands on sensitive material.
Jones recommended that any CIO grappling with BYOD security issues consider Sophos CTO Gerhard Eschelbeck's seven-step BYOD security plan:
- Identify the risk elements that BYOD introduces -- measure how risk can impact a business and map the risk elements to regulations;
- Form a committee to embrace BYOD and understand the risks -- include business stakeholders, IT stakeholders, and information security stakeholders;
- Decide how to enforce policies for any and all devices connecting to your network -- include mobile devices, tablets and portable computers;
- Build a project plan -- include remote device management, application control, policy compliance and audit report, data and device encryption, augmenting cloud storage security, wiping devices when they are retired, revoking access to devices when the end-user relationship changes from employee to guest and revoking access to devices when employees are terminated by the company;
- Evaluate solutions -- consider the impact on your existing network and how to enhance existing technologies prior to next step;
- Implement solutions -- develop a pilot group from each of the stakeholders' departments. Then expand the pilot group to departments based on your organizational criteria. Open BYOD program to all employees;
- Periodically reassess solutions -- invite vendors and trusted advisors to review roadmaps entering your next assessment period.