Attack Path Analysis
The borders between work environment and private life appear to disappear before our very eyes. The strict division of private, business and public life is basically impossible to maintain. This tendency does not come without consequences.
Smartphones, tablets, netbooks and notebooks are increasingly present in our everyday lives. This tempts people to use all these devices for both personal and professional matters. This is an effect that experts call IT Consumerisation. Using privately owned mobile end user devices (henceforth called smart devices) and gadgets in a business environment can lead to serious risks concerning confidentiality of business as well as compromising of the user’s own privacy. In addition to that, employees can unwittingly violate standing data protection rulings in a corporate environment.
The main motive for the use of smart devices by employees are comfort, mobility, flexibility, productivity, convenience and commodity as seen when working outside the office. In addition to that, the younger generation expects that equipment and technology is located where they are located. It appears unacceptable to not be able to rely on the many features of a smart device during office hours.
But: When do office hours end if the division between work and leisure has disappeared? Without the limit of time, the creed appears to be that the same thing that provides advantages, efficiency, mobility, fun and distraction in our private lives also provides use in a business environment.
Despite the many apparent advantages, the invasion of smart devices in a corporate environment can be problematic due to the fact that these are consumer devices and therefore not manufactured to be used in said environment. They often lack basic security features such as access restriction, encryption or virus protection. In addition to that, the devices have open, unsecured interfaces to social media providers as well as public cloud and collaboration services and private mail accounts. The applications – usually referred to as apps – are not tested for corporate use. Using certain apps runs the risk of transferring data to third parties.
This leads to an uncontrollable risk.
Regardless which concept of integration of smart devices we’re talking about, they’re variants of the same basic schemes:
In order to better understand the melding of the formerly strictly divided spheres of leisure and business, we can look at the technological as well as cultural development.
|Single device type||Multiple device types|
|Fixed, stationary workspace (Desktop PC)||Mobile and Home Office|
|LAN Access||Multiple access points (LAN, Wi-Fi, VPN, Mobile Data Internet EDGE, GPRS, UMTS, LTE) etc.|
|Company-provided||Mix of BYOD, COPE, CYOD and Company-provided|
|On premise, in-house engineered solutions||Software as a Service (SaaS) consumption, on- and off premise|
|Company||Employee / User|
|Wants to be an attractive employer||Wants the newest devices|
|Wants to increase flexibility and mobility of employees||Wants to be mobile, use home office or perform work tasks during a commute|
|Considers risks in mobile technology||Wants to be able to work at any time|
|Looks for reasonably cheap solutions (TCO)||Wants quick and mobile access to corporate data and resources|
|Necessity dictates division into user groups||Access regardless of device or physical location (coherence)|
|Looks for solutions to business problems. These solutions might not be compatible with the needs of employees’ private use cases||Cost efficiency (personal perspective when device is being paid for by user)|
|Influences on the Use of Mobile Devices in Corporate Environment|
|Technology||Compliance, Laws and Regulations|
|High speed of innovation||Stricter laws and regulations|
|High rhythm of innovation||New standards and best practises (cyber security)|
|Innovation occurs in waves||Raised awareness (Cybercrime in the media, sensitive data, personal data)|
|Is being adapted by employees much earlier than company adopts it||Federal Act on Data Protection|
|Regulators of all kinds such as FINMA at banks|
Efficient security measures must therefore be much more extensive than the synching of related areas of technology such as versioning of operating systems and apps, support, device management, public and private networks, virtualization. They require an encompassing inclusion of technological, legal, conceptual and societal factors.
Regulatory measures, laws, standards and checks of current risk management strategies are also a requirement.
The fact that privacy of employees is to be protected is also something that can’t be missed. This, however, can easily lead to collateral damage. Meaning that the wrong handling of personal employee data and violation of their privacy can lead to unpredictable reputational damage when this data is available to the public.
Related, it stands to mention that the intended raised availability of employees even after they’ve left the corporate environment – which is supposed to bring great advantages in mobility and flexibility – can lead to violations of employee rights. Business related enquiries outside of the employee’s designated working time can be perceived as an unwelcome factor of stress.
Security measures can be approached in any number of ways. One is the categorizing of employees on the basis of sensitivity of their data access with their smart devices.
On these basic categories, we can define a set of general rudimentary measures that apply to both categories
Fore more specific measures of protection of both user types, further distinctions can be made depending on whether an employee gets data read only access or data storage access on their smart devices:
Depending on that decision, controls with different specifications and protection levels are to be put in place. Because listing them all would make this article almost endless, I will give you some food for thought in form of an incomplete list:
Again, privacy of employees must be maintained in a structured, planned way. If IT support has access to the device during a support case, support will also have access to personal data.
In order to compile a risk management strategy, there needs to be a method that explains how to deal with risks on smart devices in the corporate environment. The approach using a risk matrix appears to make the most sense.
One side explains the exposition criteria such as possible implication. These are the corporate requirements. The other side lists the impact the information itself can have. Confronting the two will result in a potential risk.
Rudimentary and general corporate requirements themselves can be divided into two short questionnaires that serve as an indicator for the likelihood of an incident.
|Device and Functionality Properties|
|Privately Owned Device||Yes||No|
|Other (e.g. Cross Border)||Yes||No|
|Third Party Access|
|Likelhood of Theft||High||Medium||Low|
|Likelihood of Accidental Loss||High||Medium||Low|
|Likelihood of Malware Infection||High||Medium||Low|
Based on this, we can assess the Likelihood.
The potential damage describes the risk that information itself can have for corporate interests, be they internal or external.
|Potential Damage Classification|
|Impact on Reputation||None||Low||Medium||High|
|Other (e.g. CID)||None||Low||Medium||High|
Based on this, we can assess the Information Risk.
|Assessed Information Risk||Medium|
Combining the Corporate Risk and the Information Risk, we can use this matrix to visualize the classifications.
From a corporate point of view all employees can cause extensive damage with their personally owned smart devices in a corporate environment. The smart phones, tablets and other smart devices can compromise business data, client data and personal data of employees. And as we all know, this has happened repeatedly. To disregard this clear and present risk is undoubtedly going to lead to huge risks.
In order to find and successfully exploit the advantages of privately owned devices in a corporate world there needs to be a solid strategy that includes technological, legal, cultural and societal aspects and trends. And, of course, an intelligent balance between freedom of employees to use whatever smart device they see fit in a corporate environment and limitations in order to protect business and personal interests.
From an employee point of view the blending of private and business life seems to be full of advantages at first glance. It appears as if using privately owned devices expands personal freedom into their users’ business environment. However, the opposite can be the case. In a globalized, largely digitalized economy where borders between private life and business disappear, personal data is a considerable resource that can lead to extremely lucrative business. Therefore, employees should be made aware of the fact that they should keep their private lives private. Sadly, the trend goes in the opposite direction.
As we can see in media, accents are put on problems with data protection and protection of privacy. At the same time, hopes for simple and quick solutions that can be of technological, societal or legal nature such as Privacy by Design vanish into thin air. Even though the discussion about mass surveillance by secret services rages everywhere, along with the subjects of data protection and the steady mixing of private, public and business life, many feel as if they’re unaffected by this.
This indifference regarding privacy seems highly problematic to me.
We are going to monitor the digital underground for you!
Our experts will get in contact with you!
Further articles available here