ICYMI: BYOD Security Management
iCorps IT Services
As a business, how should you tackle Bring-Your-Own-Device (BYOD) security management? Find out what the panel of experts from iCorps' ALA Lunch & Learn had to say in this video.
[Attendee Question] Let's say you're on-prem versus in the cloud and someone is working in the office, but then they go to their vacation home. They go on vacation, and they take a laptop to their house, and you're really—those are your weakest points, where you're—you know, they're not patched correctly or is what you're saying, you know they, you know—
[Lauren Looney - Datto] Or secure, just physically even.
[Attendee Question] Yeah, because sites can move themselves higher up based on, you know, positioning. So if you typed in "How to login to here," you get a fake site, you follow that, there's your in the cloud version, but ultimately it seems like there's so many more devices that you really need to manage.
[Jeffery Lauria - iCorps] You do, and you know, and on average, I think I've recently done this, the average person has seven devices. You know, between their phone, their laptop, you know, work computer, a few maybe at home. You do need a managed service, and you need to be aware. It's a very good point about patching. You know, there are really two conversations. You know patching and unpatched machines are about those exploits, are about taking advantages of the flaws in the code, right? And you do need to maintain those, and I would strongly recommend that you use a, you know—it's called a Mobile Device Management System. So if anything is touching your network, it's under some form of management so I can push-patch it there and make sure. I won't let you log onto the network if you're not patched, right? Those things, we can take care of.
So, you know, I think managing devices is very, very important in patching them. But also keeping in mind that if I have 10,000 devices or one device if I still use my username, and password incorrectly, it doesn't matter. So, more devices, sure, risk of—and this actually comes back to where Sophos does very well—is, you know, what happens when you lose that device? I've, you know—I'm guilty of this. I value my car. I left my laptop in the car. I've got my car back, and there's been no laptop. And you know I'm the guy saying lock it up, put it in the trunk, this is what you should do. I tell all the employees to put it in the trunk, lock it up, don't ever do that. Yeah, I don't practice what I preach apparently, but my laptop is encrypted. So great, I'm out $800-900 for the laptop, but my data is encrypted. So I think utilizing solutions from Sophos, utilizing solutions from Microsoft—your iPhone should be encrypted or your Android phone. So you just plan on losing it right? Because you're going to lose it. You're going to lose your iPad you're going to lose your iPhone, you're going to lose your computer. Just make sure they're encrypted. It's very important. So now the number of devices, you know, becomes less important, per se, it's just—plan on losing your device and how you can protect that.
[Justin Walker - Sophos] Yeah, the expensive part of the loss is the data that's on there, more than the laptop itself or the phone. You know, a couple hundred, a couple thousand bucks for a really good laptop is pennies in comparison to a data breach, and the damage to the brand, and the things that go along with that. There's a really staggering number from a mobile-loss perspective. So I don't know, somebody in the room I'm sure has left their phone in a car, or at a restaurant. 200,000 phones are left in London taxis alone every year, just in, you know, in proper London. Forget the rest of the world we're talking almost a quarter-million phones that are lost in taxis. So it's just kind of staggering. If you have sensitive data out there, you've got to put restrictions on where it can be, what devices can people access that data from, because it is all too easy to lose a laptop or phone.
[Jeffery Lauria - iCorps] Think about this. Most state reporting laws, most, not all, if the data's encrypted, and the keys aren't compromised, then it's not an event. So it is—you know, you using encrypting is very important as well. So make sure your mobile devices, whatever they are, are encrypted.
[Lauren Looney - Datto] But it's important to think too—what's interesting is there's a story that came out last year about a casino in Vegas. They were actually hacked, it's crazy, but through their fish tank. Yeah, and so it wasn't on the news a lot probably because it was such a big deal, but what the hackers did was their [the casinos] firewall just happened to be on literally the wrong side and they were able to access their firewall through their smart thermometer that was attached to this huge fish tank that they had in their casino. And they were able to then—this is a huge, this isn't like—not that it doesn't matter, this was a big casino—they were able to get every high-rollers information in that casino and take it with them. And you know, it kind of goes back to the question earlier, once they have it do we know? I mean maybe we can find out, but at that point, they got it, you know, took it through the server, up the cloud it went, it's gone. Right? It's in the dark web somewhere, and somebody had a really good day that day.
[Jeffery Lauria - iCorps] You know, the funny part here is a lot of these breaches you see are just because people didn't use best practices. So the fish cam should have been on an isolated network, it's as easy as that.
[Chris Stephenson - Moderator] Everyone knows that about fish cams!
[Justin Walker - Sophos] Mine is, it's on a completely separate network!
[Jeffery Lauria - iCorps] But if you think about this, even at home, these are these IoT devices that we're talking about right? The Internet of Things. So it's my Nest thermometer. It's my security cameras. It's all those things. It's your refrigerator. I can look in and see if I need milk. All of those things, they're all on your network, alright. And they're all very exploitable. As a matter of fact to a point where it's so bad that it's actually an industry issue where they're looking at some regulations about how to solve this. Once you buy that refrigerator that, you know, has a camera in it or you buy the smart tv, no one patches it, it doesn't necessarily ever get updated, and that sits on the network. There are websites dedicated to go in, and "I want to see all of the webcams that are using the following usernames and passwords." Well, there you go. And there's whole websites you can now see and get on the NannyCam, right? We've heard of the NannyCam problems, right? So these—it's a lot of best practices that we just don't do. Separating the IoT devices from production network, alright? But first, change your passwords, no basic passwords is important. So I think leveraging that common sense too, it's difficult, it may take a little work to do, but it pays off.
iCorps Video Library