Over the past five years, the phrase, “bring your own device,” has caused little more than heartache for those charged with maintaining connectivity, data security, and access control across networks large and small. The explosive and pervasive nature of mobile devices on the backs of iOS and Android has led to work environments having to adapt quickly to the challenge of personal devices impacting business security. In many cases, these same smartphones and tablets will end up containing organizational data and act as a weak point to otherwise sound network security and data loss prevention strategies.
What, then, can we gain from these plentiful small and feature-filled devices to add security back into the equation?
Never Forget to “Lock” Your Computer Again
While many consumers are using Bluetooth for wireless audio streaming, tracking fitness statistics, and typing with external keyboards, the smartphones and tablets people use could be acting as a security tether as well.
Utilizing third-party software such as “Bluetooth Unlock” or “handyLock”, mobile devices can be paired with computers to provide an easy method to ensure your computer isn’t unlocked while you’re away from your desk. Simply by walking out of Bluetooth range with your mobile device, your computer will detect your absence and lock your machine for you. In addition, many of these types of software will even unlock your machine for you when you come back into range.
If you or your employees often forget to lock their computer screen when walking away, you might want to deploy a piece of software that will give a new security feature to their existing mobile device. Better yet, because it may actually reduce time and frustration from their daily routine, users are likely to keep it enabled. After all, you probably don’t want to be the target of such actions as described by Troy Hunt in, “40 inappropriate actions to take against an unlocked PC.”
Manage Password Complexity, the Convenient Way
In the ongoing struggle to maintain complex, unique, and lengthy passwords, the evolution of password managers from a Notepad document into full-fledged password lockers has provided end-users with a chance to be safe and stay sane. This process works great until you realize you’re without your primary computer and need to login from a mobile device or someone else’s computer.
Many password managers including “LastPass” and “1Password” also support mobile devices. Through either cloud-services or file syncing of data (a la Dropbox), password managers on mobile phones are easy to keep up to date and provide the needed accessibility of passwords on the go. Some mobile applications even support an in-app browser that makes entering a complex password a quicker operation by not having to jump between open applications.
Without the convenience of mobile-enabled password managers, this important security practice may be too cumbersome to actually widely utilize. There can even be some additional benefits like knowing how old your passwords are or even if the site you’ve saved a password for was vulnerable to Heartbleed.
Strong Authentication Without the Extra Hardware
Over the past 30 years, hardware tokens have been an enduring signature of the corporate or government professional’s keychain. Luckily over the past few years, there’s been a distinct departure from this being the status quo and now everyone has access to two-factor authentication across a variety of personal and professional services. BYOD means that your end users already have a powerful authentication mechanism on their person all day, every day.
Unlike hardware tokens that typically only attach to a single account or service, a single mobile device with an app can provide authentication capabilities for a user across many services and platforms. Through both open standards (e.g. TOTP, HOTP) as well as more feature-rich platforms, it’s trivial for users to authenticate to systems with two-factor on their mobile devices.
Let’s Take Advantage of What We Have in Our Grasp
As an organization, the ability for users to maintain strong passwords, log into two-factor enabled systems, and lock their computers when they walk away could prevent some of the most common and dangerous attacks that an environment can face. While managing BYOD has likely presented some tough challenges for the IT managers and technicians reading this article, it’s safe to say that you have a few capabilities at your users fingertips that may end up making BYOD seem worth it.
Just imagine the money your organization could save by preventing a breach via bad authentication or data that was stolen when someone abused a logged-in computer. Further, the costs associated with a hardware token rollout for two-factor versus leveraging the already purchased phones your users are carrying really could make a difference to your bottom line.
The next time your team is discussing BYOD and the next hurdle, perhaps discuss the methods noted here that will add value to these devices and provide real security to your organization. After all, these devices aren’t going anywhere so why not make the best of them?
Mark Stanislav is the security evangelist at Duo Security.