As you evaluate your company’s bring-your-own-device (BYOD) program, you will notice that risk management and BYOD security are intimately connected. In today’s environment of global communication and commerce, risk management is essential for reducing technology-related threats. The process of assessing threats to your company can be completed in two steps. First, you must identify known threats and vulnerabilities that exist industry-wide. Next, you must identify threats and issues that are unique to your business operations. Once you know what you are facing, the following nine steps can help you develop an effective security solution to combat each threat.
Nine Steps to Effective BYOD Risk Management
This nine-step process for developing an effective BYOD risk management and IT security program will help you analyze risk on both an industry-wide and intra-company level. From here, you will have all the data you need to develop an effective and enforceable BYOD security solution.
Create an IT Risk Management Procedure: Rather than start from scratch, take your existing risk management procedure and incorporate additional protocols to conduct an annual overview of IT-related risk management issues. Include processes for as-needed risk evaluation when new technology is implemented or business and IT processes are altered.
Identify Threats and Educate Employees: Threats can come from technology, people and processes. People-centric threat assessment should factor in risk from hackers, employees, vendors, competitors and customers. Technology-centric threat assessment must consider BYOD and BYOC programs, misuse or loss of corporate technology, malicious hacking/phishing and malware/viruses. FEMA (Federal Emergency Management Agency) suggests that you should also factor in environmental issues such as disruption of IT service due to weather or acts of God.
Secure the Threat Landscape: Next, you begin to build a foundation for threat resistance with installation and implementation of anti-malware software and tools.
Identify and Address Vulnerabilities: Beyond common threats like malware, you now begin to evaluate vulnerabilities specific to your company and business operations. Addressing these threats should include regular scans of your entire IT infrastructure, including servers, devices, software, applications and support devices (printers, scanners).
Begin Security Monitoring: Your security monitoring procedures should include both internal monitoring and any mandated monitoring (from regulatory or government agencies). It is helpful to think of security monitoring as the security overseer that assesses the effectiveness of every part of your IT security system, from malware detection software to MDM (mobile device management) monitoring.
Institute Reporting and Response Processes: Even the tightest IT security systems will occasionally fall prey to common issues such as device loss or theft. When these incidents occur, employees must know how to respond immediately. Your reporting and response process should include dedicated staff who are on call to handle sensitive security breaches without delay.
Dialogue and Adjust: As you roll out your IT risk management and security systems, continual dialogue and feedback will help you make important adjustments. Be sure employees have the opportunity to offer ideas and suggestions. Also, consider scheduling IT-related risk assessments frequently in the early stages of program rollout.
Revise and Refresh: As you dialogue and adjust your processes, it may become apparent that you also need to revise and/or refresh your technology, including threat detection and antivirus software. All employees who participate in company-wide BYOD programs should install and update security software for each device used for company business.
Consider Advanced Security Systems: Depending on the industry your company operates in, your risk of being targeted for security breaches may be higher or lower. If you determine that your operations are at high risk for APTs (advanced persistent threats), also consider installing advanced security systems to combat these more unique risks.
When you evaluate internal and external threats, risks and vulnerabilities and follow this nine-step approach to secure your data, you will be well-prepared to effectively respond to risks that arise.
About the Author: Laura Malkri is a former IT manager. Currently, she works as a consumerization consultant specializing in BYOD risk management processes using Trend Micro products.