It never fails…Every day, workers use the same laptop in the office used at home. Others bring their phones and connect to company Wi-Fi. While it may seem innocuous, this habit can cause profound issues to the corporate network – and have dangerous consequences for startups.
To properly mitigate this threat, it’s critical to assess the vulnerabilities. Once a device has left the office, the company has very little control over security. So, having a solid IT policy and damage limitation strategy in place is a must - even for startups with very few staff.
The main concerns with remote employees and Bring Your Own Devices (BYOD) are several:
- Physical theft - Company or customer information stored on a misplaced or stolen device is a big problem, and can be extremely expensive to recover.
- Malware - You must rely on users to keep devices free of malware and viruses that can cause massive information breaches or system failure.
- Data interception - Most people don’t encrypt information sent to colleagues. If sent from a compromised device, it can possibly be intercepted by an attacker. Many also have GPS enabled, meaning devices can be tracked around the world.
- Insider threats - A disgruntled employee could deliberately bring something malicious onto the corporate network.
The risks are real. And once an attacker breaches corporate defenses, it’s already too late. Many problems arise when security is thought of as an additional feature, rather than an integral part of development. As any IT security professional will tell you: Security MUST be baked in, not sprayed on.
Some of the most dangerous security threats startups face are caused by staff not following correct policies and procedures. This can have extremely damaging and long-lasting implications:
- Confidentiality breach and loss of PII - If personally identifiable information (PII) is stolen, the company could be legally liable and may have to be publicly announced, causing loss of confidence.
- Eavesdropping - Private communications can be intercepted through the microphone of a compromised device, or data sent through an unsecured network. Side note: If you’re still using fax…stop right now! Fax information is transmitted in plain text, can be intercepted easily, and receivers have no way of authenticating who sent it.
- Denial of service (DOS) – This attack can stop your network from functioning properly, causing lost time and unhappy customers.
- Worms - A single device infected with a worm can damage an entire network with a self-replicating virus that spreads through connected devices, or even email contacts.
So what can you do to avoid issues like this from ever happening?
It should go without saying that any data stored on the company premises should be encrypted at all times when at rest - and the same goes when selecting cloud storage. But simply protecting resting data doesn’t cut it when employees bring personal devices to the office or take work laptops home.
Here are six security “must follow” policies if you allow BYOD:
Enforce Authentication that Utilizes Digital Certificates
Strong authentication solutions utilize Digital Certificates for convenient and secure certificate-based and token-based two-factor authentication for protection of enterprise networks, data, and applications. These include: Domain Controller Servers, Machine Certificates, Mobile Devices, Smart Card Logon, Cloud Services, USB Tokens (approved, see below), VPNs, Gateways, and WiFi Networks.
Turn off Bluetooth
Bluetooth is intrinsically insecure. Encourage staff to keep it turned off at all times other than when temporarily in-use.
But why is Bluetooth so vulnerable?
The most dangerous aspect of Bluetooth is it’s very easy to switch on and connect devices, such as a wireless speaker. Unfortunately, many users forget to switch it off. This leaves devices as a constant security risk. Even when staff are using Bluetooth headphones to and from the office, this open connection provides hackers ample opportunity to perform the following attacks:
- Bluejacking – Attackers send messages to the device over Bluetooth. This has been used for guerilla advertising in highly populated areas. The danger comes when attackers inserts a malicious link into the message, which can further compromise the device once clicked.
- Bluesnarfing - An attacker gains access to information stored on a device using Bluetooth. Stolen data can include contact lists, SMS and call data, email, and media and files. Attackers can steal easily steal company documents stored on phones - and nobody would know until it’s too late.
- Bluebugging - An attacker gains access to the phone at a higher level than Bluesnarfing – potentially gaining control of the entire phone, using it to send messages, make calls, eavesdropping, and tracking the device using GSM. Once compromised, it can be subjected to further attacks, even when Bluetooth is switched off.
Encourage Strong Passwords
Everyone should be using strong passwords. That doesn’t mean the name of their pet with a couple of letters substituted for numbers. It means a string of characters algorithmically difficult to crack.
By using a password manager, strong codes can be generated and stored with encryption. For company use, access to these passwords can be shared between users without sharing the password itself. Users must have a master password to log in. These passwords must also be strong, but not impossible to remember.
Discourage (strongly) Jailbreaking or Rooting of Devices
This one is hard to police, but extremely important for protecting the integrity of office networks. “Jailbreaking” and “Rooting” are terms for similar things - removing software limitations of a device’s operating systems to access otherwise restricted features of the device.
Jailbreaking takes place on iOS devices, and allows installation of software that Apple doesn’t allow. Rooting takes place on Android, enabling a far higher level of access to the device’s hardware than when running regular Android. A rooted Android device has access to basically every aspect of the operating system
Rooting unlocks many advanced functions on Android devices, which can leave it exposed to attacks. If a malicious app or hacker gains root access to a device, it’s entirely in their hands. They can perform any operation on the phone - from listening through the microphone and accessing the internet connection to logging into apps through the user’s account.
You don’t want this happening to a device in the office. A failsafe solution is to ban any rooted or jailbroken devices from the office altogether. If it’s absolutely necessary to use rooted devices, ensure there’s a solid system of regular checks in place.
Encrypt the office internet connection
Large offices will generally have an IT team and enterprise level routers, but startups might only use the ISP provided router - with basic security and no encryption of internet traffic.
Governments, ISPs, and even some internet services, have been known to track users’ online activities - and it can’t be assumed the same doesn’t happen to small businesses. What’s more, someone bringing an infected device onto the network could allow hackers to intercept and even modify internet traffic.
For startups with less than 25 employees, a privacy-focused router can be used to encrypt all data transmitted through the network by using a VPN on the router itself. VPNs can cause a slightly slower internet connection than normal, but with a high quality router, this should be minimal.
Enforce a download and antivirus policy
Malware can easily be brought into the office by software downloaded at home. But there are other ways machines can be infected. It’s just not realistic to block all downloads over the office network, but you can tell all staff they shouldn’t download anything without first checking with those in charge of IT policies.
Popular TV series are increasingly being targeted by hackers who inject malware into the file that is then shared across P2P networks via BitTorrent. Torrenting of copyrighted material is illegal in most places, but that doesn’t stop millions of people downloading the latest series of Game of Thrones rather than wait for it to be shown on HBO.
Stopping these downloads in the office will only go half way towards protecting the network. If a machine is compromised at home, risk spreads to the entire network once connected to office WiFi. All employees must use quality and up-to-date anti-virus on devices, ensuring they’re regularly scanned. Individual downloads should also be scanned before opened.
Ban flash drives
Thumb drives are small, convenient, and insecure, but one of the biggest worries is they’re rarely encrypted and easily misplaced. In a business context, this could mean an employee leaves it somewhere, such as a coffee shop, and it’s picked up by someone who can use the data for nefarious activities. This has happened many times in small and large businesses, and even in government. A notable example is a UK government contractor losing a memory stick containing information on every prisoner in England and Wales.
And that’s just if someone loses the drive.
Another serious issues is a USB stick containing malware and connected to a network device. This can cause malware to spread quickly across every device on the network. In fact, the biggest breach in US military history happened when an infected thumb drive was connected to a computer, and malware breached classified information - potentially delivering operational plans, personnel data, and military secrets to the enemy.
An Ounce of Prevention
The philosophy for small business is this: Prevention is easier than a cure. Taking preventative measures to protect the network can save your business from potentially disastrous consequences.
If staff bring their own devices to work, or take company laptops home, make sure you set clear rules regarding their use - and that each employee understands their responsibilities.
Resource Link:
To explore more on the challenging cybersecurity landscape – and how you’re business can stay safe, read more:
Digital Certificates for Strong Authentication
https://www.globalsign.com/en/company/blog/articles/what-is-ransomware/
https://www.globalsign.com/en/company/blog/articles/5-signs-your-network-has-been-hacked/