Get Your Global Excellence Awards Entry Kit Now
Join the Cyber Security Worldwide Community on LinkedIn
 Home Executive Briefings Security Predictions Entry Kit Global Excellence Volunteer as Judge Register Awards About
How CSOs can conquer the security issues created by the Bring Your Own Device trend

VASCO is a world leader in strong authentication and e-signature solutions, specializing in online accounts, identities and transactions. As a global software company, VASCO serves a customer base of approximately 10,000 companies in over 100 countries, including more than 1,700 international financial institutions. In addition to the financial sector, VASCO's award winning technologies secure sensitive information and transactions for the enterprise security, e-commerce and e-government industries.

Info Security PG: What is fueling the BYOD trend?

T. Kendall Hunt: Boundaries between private and professional lives are blurring, moving and changing. On one hand, employees are willing to conduct professional tasks during private time and ambitious enough to work on a personal career path and live up to it. On the other hand, they are not willing to compromise on a well-balanced work-life ratio. When working remotely, today’s ‘always on’ worker expects connectivity at home and on the road, even from the other side of the world, via the device they have to hand.

Typically, employees personally own more sophisticated smart devices than their employers can or want to offer. For the average person, this means that their smart device is now an essential utility for organizing agendas, retrieving information, watching movies, listening to music, taking pictures, finding locations or staying in touch. Therefore, ease-of-use is a very important feature when purchasing a smart device. With a predicted 3.3 smart devices per knowledge worker by 2014, employees will start choosing the most convenient device for the task at hand.

Not only are smart devices perceived as essential in daily life and thus worth the (private) investment, a smart device has also become a fashion accessory. End users are not only selecting devices based on their technical features, but also on brand, color, and shape. In today’s digital age, when it comes to social status, smart devices are the new cars. Working with a privately chosen smart device gives the user a higher satisfaction, creating the feeling of goodwill that encourages a flexible working environment.

What should a CSO look for when selecting an identity and access management solution - Chris Zannetos

Info Security PG: Is there a productivity connection between employees and the BYOD trend?

T. Kendall Hunt: Yes, there is a direct connection between productivity and allowing an employee to use to their own device to access vital corporate resources. However, Bring Your Own Device is about more than employees wanting to use their own devices to log on to the corporate network in order to access company-critical information at any given time from any place. Companies often work with freelance consultants and business partners who need to access the corporate network in order to be productive. Secure access to business critical assets is thus not only limited to employees, but must also be extended to authorized third parties.

Everything a CSO needs to know about Mobile Apps and Enterprise Security - Jeff Williams

Info Security PG: Is there a cost associated with the BYOD trend?  

T. Kendall Hunt: Allowing mobile devices to access corporate networks and applications imparts significant opportunities to increase the effectiveness of mobile workers, but there are also major concerns. The privacy of sensitive corporate data on the devices is at stake. A range of factors has an impact on the data security: insecure web browsers, unprotected Wi-Fi connectivity, devices containing malware, a lack of security software use or the loss of mobile devices. The lack of employee awareness is yet considered to be the greatest pitfall for security on mobile devices and thus for the security of corporate data.

Successfully embracing the BYOD dynamic means a gigantic security shift both for employers and employees. One user chooses many types of (mostly static) passwords to access multiple accounts from multiple devices. IT administrators manage different networks and applications that need to be accessible by all kinds of mobile devices, each with their own operating system and security measures. It is impossible to reduce devices or eliminate networks or applications. This means that both parties have challenges ahead.

Increasingly, a lot of devices that are connected to the network are unknown to IT administrators. Tablets, phones, personal notebooks, e-books and other connected smart devices are not managed by these administrators. They run on a wide scale of different operation systems, ranging from very old to the newest beta version. And here in lies a major problem; since the devices are not the property of the organization, intrusive security software installation cannot be demanded by the IT department. Furthermore, users often have several (static) passwords to access multiple accounts from multiple devices. Security challenges are huge and keeping a structured overview of all devices and users is impossible, even though although an impregnable security model is indispensable and desirable

Factors CSOs need to consider when choosing a secure file transfer solution - Robert Luebbe

Info Security PG: Do you think this security weakness can be turned into an opportunity? What should CSOs do to tackle this challenge?

T. Kendall Hunt: BYOD may look like a trip into a world of security weaknesses, but it can be turned into an opportunity. Employees can be empowered to take security in their own hands. As device ownership shifts to the employee, so does the burden of protecting it. The IT department can address BYOD security by providing detailed security requirements for each type of personal device that is connected to the corporate network. Security policies define the device requirements with regards to providing access.

By establishing a mobile device security program, challenges can be countered. In the short term, IT’s best strategy to address these challenges is with a combination of regularly updated and enforced policy, software, infrastructure controls and education. Strong collaboration with other departments is necessary to avoid a difficult BYOD roll-out. For example, policies should be developed in conjunction with HR and Legal, to offer an answer to tax, corporate liability, labor and privacy implications. In the longer term, application management and appropriate cloud services are necessary to tackle other BYOD challenges.

The critical technologies to consider in order to guarantee secure BYOD implementation, are strong isolation methods, mobile application management, encryption and containerization and management of content and delivery mechanisms. The management and maintenance of the personal applications and data are still the employee’s responsibility, though mobile device security training will help to alert employees and ensure that their mobile devices are configured, operated and used in a secure manner.

Info Security PG: Do you think password management plays a role in securing devices?

T. Kendall Hunt: Definitely, password management plays a significant role in securing devices. For example, an extra level of security can be obtained with user authentication. With the implementation of a secure authentication method, IT administrators control who accesses the corporate network and applications. But password management can be a stumbling block for employees and IT departments alike. Offering support for password management requires resources and can be a time-consuming and costly affair.

The most ubiquitous and easy-to-use secure authentication method used today is two-factor authentication generating one-time passwords (OTPs). This assumes that two elements are needed to log in securely: e.g. something you have (such as a DIGIPASS that generates one-time passwords) and something you know (such as a PIN code or a static password). When these two factors are combined with one another, the person linked to the authentication device can get safe access to the corporate applications. It is meaningless to intercept one-time passwords, as they cannot be used more than once and only last for a limited number of seconds.

Info Security PG: There are many strong authentication solutions available. Why should CSOs select DIGIPASS to secure their organizations? 

T. Kendall Hunt: With its DIGIPASS, VASCO offers a strong authentication solution to conveniently secure access to password protected content. IT needs to implement this extra level of security to the access log-on procedure to bar intruders from confidential corporate data. To be granted access, companies can deploy a mobile authentication solution, such as DIGIPASS for Mobile. Users need to generate an OTP, by downloading a mobile client on their device. Once the authentication is successful, users will be granted access to the corporate data. As long as users are logged in, they can make use of the corporate network.

The convenience is not only for the users, but also for the IT department. The step-by-step approach eases the integration in the corporate network. The integration is straightforward and simple. Different tools are available to assist with the integration.  

Info Security PG: In addition to implementing strong authentication do you have any additional recommendations for organizations who to secure access to their organizations mission critical assets?

BYOD is a user-driven wave companies can’t ignore. Despite indisputable and challenging cons - both for employees as for employers - the pros are currently winning the battle. A corporation that is willing to adopt a BYOD policy will certainly save on high-priced devices and will take advantage of the newer and faster technology on employee-owned devices. But more important is that employees will be able to decide on the technology they want to use for work. This improves employee satisfaction and helps in attracting and retaining staff.

In order to face the challenges coming along with the BYOD trend, a company needs to set up a complete BYOD policy, covering all aspects of this trend. All company departments, regions and levels need to be involved to avoid financial, technical or cultural surprises and meet unexpected IT and security issues. Authentication is key to avoid that fraudsters gain access to company-critical information. The DIGIPASS technology is a convenient way to provide secure authentication for own-device-users and others.

Company: VASCO
1901 South Meyers Road, Suite 210, Oakbrook Terrace, Chicago, Il 60181 U.S.A.

Founded in: 1991
Founder, Chairman of the Board and Chief Executive Officer: T. Kendall Hunt
Public or Private: Public
Head Office in Country: United States
Products: Strong authentication and e-signature solutions 

Company's Goals: To authenticate the world. VASCO is committed to providing financial institutions with an array of authentication solutions and services at the lowest total cost of ownership. In addition to the financial sector, VASCO technologies secure sensitive information and transactions for the enterprise security, e-commerce, and e-government industries, and we are constantly enhancing our current offerings in order to better meet the specific needs of our customers within those markets.